Breach Roundup: Mr. Raccoon Wants Your Password

Cybercrime , Fraud Management & Cybercrime Breach Roundup: Mr. Raccoon Wants Your Password Also, Eurail Breach, ChipSoft Hospital Disruptions, W3LL Phishing Takedown Pooja Tikekar (@PoojaTikekar) • April 16, 2026     Credit Eligible Get Permission Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, help desks targeted, Eurail exposed data of 308,000 customers and Fortinet patched critical FortiSandbox flaws. "Pushpaganda" campaign abused Google Discovery for scams, Interlock leaked pediatric healthcare data and a suspected breach hit China's Tianjin supercomputing center. JanaWare ransomware targeted Turkey, a ChipSoft attack disrupted hospitals and authorities dismantled the W3LL phishing platform. Basic-Fit notified 1 million members and a Cookeville hospital breach affected nearly 338,000 people. See Also: Why Cyberattackers Love 'Living Off the Land' Social Engineering Attacks Spread With a Vengeance Soft hacking tactics embraced with a vengeance by adolescent hacking groups Scattered Spider and ShinyHunters are becoming a mainstay. Google's Threat Intelligence Group is warning that a financially motivated threat cluster - possibly using the online persona "Mr. Raccoon" - is targeting enterprise help desks and outsourced support teams of dozens of large corporations. Hacking groups that emerged largely Western adolescent cybercrime community known as "The Com" have for years now converted social engineering attacks, oftentimes in live telephone calls targeting an organization's IT help desk, into hacks of major corporations Salesforce Sounds Alarm Over Fresh Data Extortion Campaign). Now a threat actor that Google tracks as UNC6783 is doing much the same, focusing on outsourced labor providers as well as help desks, resulting in "several dozen high-value corporate entities targeted across multiple sectors," wrote Austin Larsen, a Google threat intel analyst. Researchers say the UNC6783 may be the same threat actor calling themselves Mr. Raccoon who claimed responsibility for the theft of a massive trove of Adobe data from a business process outsourcing firm in India - allegedly including the personal information of 15,000 employees, millions of customer support tickets and bug bounty submissions. UNC6783 relies on real-time interaction. It uses live chat and support channels to impersonate IT personnel, directing employees to spoofed Okta login pages hosted on lookalike domains with a consistent pattern: [organization].zendesk-support[number].com. A custom phishing kit bypasses multifactor authentication and captures credentials and clipboard data, allowing attackers to intercept authentication flows and register their own devices. In some cases, victims are instructed to install fake security updates, which deliver remote access capabilities under the guise of legitimate support activity. UNC6783 pivots to extortion once data exfiltration is complete. Victims receive ransom demands through Proton Mail, indicating a data-theft-driven model rather than ransomware deployment. In at least one documented case, after gaining initial access through a BPO employee, the attacker escalated by targeting that employee's manager. Eurail Breach Exposes Data of 308,000 Customers Threat actors breached European railway pass provider Eurail's network in December 2025 and exfiltrated files containing personally identifiable information, it said in a breach notification. The Netherlands company said that the cyberattack exposed personal data of 308,777 customers, including customer names, passport numbers, dates of birth, email addresses, postal addresses, phone numbers and travel companion details. The breach also affected participants in the EU's DiscoverEU travel program. In February, a hacker publicly claimed responsibility for the attack, alleging they stole 1.3 terabytes of data from Eurail's AWS S3, Zendesk and GitLab environments. They said the dataset contains source code, database backups and support tickets. The hacker also said Eurail refused to engage in negotiations, after which they began promoting samples of the stolen data on Telegram and threatening broader release on the darkweb. Fortinet Patches Critical FortiSandbox Bugs Enabling Remote Code Execution Fortinet patched two critical vulnerabilities in its FortiSandbox appliance that could allow attackers to take control of affected systems. The flaws include CVE-2026-39808, an unauthenticated operating system command injection bug that could enable remote attackers to execute arbitrary commands over HTTP, and CVE-2026-39813, a path traversal vulnerability in the JRPC API that could allow authentication bypass and potential privilege escalation. Both carry a CVSS score of 9.1. FortiSandbox is used to analyze suspicious files and detonate malware in enterprise environments. A successful exploit could allow attackers to pivot into the broader network. Fortinet also disclosed CVE-2026-25836, a separate command injection flaw affecting FortiSandbox Cloud that requires super-admin privileges. Pushpaganda Campaign Abuses Google Discovery to Drive Scareware, Ad Fraud Threat actors are abusing Google's Discovery feed with artificial intelligence-generated content to push malicious notifications and inflate ad revenue, found research from threat intelligence company Human Security. The campaign, dubbed "Pushpaganda," blends search engine optimization manipulation, social engineering and scareware tactics to lure users into enabling browser notifications that deliver fraudulent alerts and scams. The operation relies on planting AI-generated, sensationalist articles, with headlines often mimicking financial updates, political news or exaggerated tech claims to drive clicks. Once users land on attacker-controlled domains, they are prompted to allow push notifications. Accepting the request enables persistent alerts at the operating system level, bypassing traditional ad blockers. The scheme also generates invalid organic traffic from actual mobile devices, distinguishing it from conventional bot-driven fraud. Researchers observed these notifications delivering fake legal threats, spoofed missed calls from family members and bogus financial alerts to coerce further engagement. The campaign generated approximately 240 million bid requests in a single week. The infrastructure includes at least 113 domains, initially targeting users in India before expanding to the United States, Australia and other regions. Pushpaganda operators deploy deceptive user interface elements such as "Apply Now" or "Join WhatsApp" buttons that redirect users to additional malicious pages. Background browser tabs are simultaneously rotated through attacker-controlled sites using JavaScript to artificially boost ad impressions and session times. Researchers also identified the use of deepfake advertisements featuring fabricated endorsements from celebrities and medical professionals. Interlock Leaks 540GB Trove From Pediatric Hearing Center Ransomware gang Interlock claims to have leaked on its darkweb site a cache of 540 gigabytes - including nearly a half-million data files - stolen from a Texas organization that provides school-based hearing screenings, and hearing loss and speech therapy to pediatric patients in two states - Texas and Louisiana. Houston-based Texas Hearing Institute says it provides audiology and speech services to "thousands" of children annually in 79 Texas countries, as well as in numerous Louisiana parishes. Samples of leaked data Interlock claims to have stolen from the institute include internal business and financial documents, images of passports, employee tax forms, and a school accident report and diagram of a student who fell and injured his face and tongue at a Texas school during lunchtime recess. Interlock has been implicated in many other major hacking incidents involving healthcare sector entities, including Ohio-based Kettering Health. Kettering recently updated the incident breach tally for federal regulators by disclosing the incident affected nearly 1.7 million individuals. China Supercomputer Breach Exposes Massive Defense Data Trove A threat actor allegedly breached China's National Supercomputing Center in Tianjin, exfiltrating more than 10 petabytes of sensitive data in what could rank among the largest cyber thefts to date, CNN reported. The attacker, operating under the moniker "FlamingChina," claimed the dataset includes classified military documents, missile schematics, aerospace research and simulation data. Portions of the data have been released as samples, with full access reportedly offered for sale on underground forums for hundreds of thousands of dollars in cryptocurrency. The targeted facility supports more than 6,000 organizations, including government, academic and defense entities, making it a high-value aggregation point for sensitive workloads such as weapons modeling and advanced research. Initial analysis suggests the intrusion used a compromised VPN endpoint, with data exfiltrated gradually over several months. Chinese authorities have not confirmed the breach but cybersecurity experts reviewing leaked samples say the data appears consistent with outputs from a national supercomputing environment. JanaWare Uses Adwind RAT to Drive Targeted Attacks in Turkey A long-running ransomware operation is targeting users in Turkey using a customized variant of the Adwind remote access Trojan, threat research company Acronis found. The operation, tracked as "JanaWare," has been active since at least 2020 and remains ongoing, with samples and active command-and-control infrastructure observed as late as 2025. Researchers say the operators rely primarily on phishing emails to deliver malicious Java archive files. Victims receive an email through Microsoft Outlook containing a Google Drive link, which triggers the download of a malicious JAR file executed via javaw.exe. Once executed, the malware deploys a tailored Adwind RAT to establish persistence and remote control but encryption does not begin immediately. The RAT first surveys the compromised system, collecting information such as hostname, operating system version and file inventory, and reports back to the attackers. The JanaWare ransomware module is only downloaded and deployed selectively, once operators determine the target is worth pursuing. The malware uses polymorphic techniques and code obfuscation to evade detection, alongside geofencing that restricts execution based on locale, language and IP checks. Unlike large ransomware groups targeting enterprises, JanaWare operators appear focused on individuals and small-to-medium businesses, with ransom demands typically ranging between $200 and $400. Ransomware Attack on ChipSoft Disrupts Dutch and Belgian Hospital Systems A ransomware attack on Dutch healthcare software provider ChipSoft disrupted hospital systems nationwide, forcing multiple institutions to take patient-facing services offline and triggering a sector-wide security response. Z-CERT, the Netherlands' healthcare cybersecurity authority, acknowledged on April 7 a compromise involving unauthorized access to ChipSoft systems. The vendor supplies electronic patient record software to roughly 70% of Dutch hospitals, making the breach a high-impact, single-point failure across the country's healthcare infrastructure. ChipSoft disabled connections to key platforms, including its Zorgportaal and HiX services, while advising customers to disconnect from its network. Hospitals were instructed to sever VPN links and monitor traffic for signs of lateral movement. At least 11 hospitals took patient portals offline as a precaution, cutting off access to online records, appointment systems and communication tools. Facilities in Weert, Roermond, Venlo among others, reported outages tied to the incident. Patient portals at several Belgian hospitals also went offline following the attack. Despite the service interruptions, hospitals said clinical care continued using fallback processes. Z-CERT said internal access to patient records remained largely intact, with institutions shifting to manual workflows and increased staffing to manage disruptions. FBI, Indonesian Authorities Dismantle 'W3LL' Phishing Platform The FBI, working with Indonesian National Police, dismantled a global phishing operation built around the W3LL phishing kit, a platform used to steal credentials and facilitate large-scale financial fraud (see: View to a Phish: W3LL Specializes in Microsoft 365 Hacking). Authorities seized infrastructure tied to the operation and detained an alleged developer identified as "G.L." The W3LL kit enabled affiliates to deploy spoofed login pages that captured usernames, passwords and session cookies. By intercepting authentication flows, the kit allowed attackers to bypass multi-factor authentication and hijack accounts. The toolkit, sold for roughly $500, lowered the barrier to entry for cybercriminals, packaging automation, anti-bot protections and credential replay capabilities into a turnkey offering. Basic-Fit Data Breach Affects 1M Members Across Europe Basic-Fit, which operates gyms in six European nations from its home country of the Netherlands, is notifying about a 1 million of its 5 million active members of a data theft incident affecting their personal information. A Basic-Fit spokesperson told ISMG that the company's "monitoring systems" detected an unauthorized download of data, which was stopped "within minutes." "The access was closed immediately, and the data is no longer accessible," the spokesperson said. The incident involved an unspecified vulnerability in Basic-Fit's IT system, the spokesperson said. "The external investigation is looking into the access and how to prevent this in the future. Having said that, unfortunately, a 100% security does not exist, but we invest heavily in keeping data safe and will await the outcome of the investigation," the spokesperson said. Besides the Netherlands, the compromised system contained data of Basic-Fit active members in the other five countries where the company operates gyms: Belgium, France, Germany, Luxembourg and Spain. The exfiltrated data included membership information, name and address details, email addresses, phone numbers, dates of birth and bank account details. Basic-Fit said it does not hold identification documents of members and that no passwords were accessed. Other Stories From This Week Goldman Sachs 'Hyperaware' as it Tests Mythos for Defense Freight Hacker Wields Code-Signing Service to Evade Defenses HSCC Guide Targets Third-Party AI Risk in Healthcare US FCC Grants Netgear Temporary Exemption From Router Ban OpenAI Touts Wider Access to Its New Cyber Model With reporting from Information Security Media Group's Marianne Kolbasuk McGee in the Boston exurbs.