TransUnion Discloses Breach Affected 4.5M

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: TransUnion reported an incident affecting 4.5 million, DSLRoot turns home internet into proxies, Operation Serengeti 2.0, ZipLine campaign exploited contact forms, a cyberattack disrupted 200 Swedish municipalities, Maryland Transit Administration hit by ransomware, TAG-144 escalated attacks on South American Government.

See Also: Why Cyberattackers Love ‘Living Off the Land’

U.S. credit rating agency TransUnion disclosed Thursday that hackers stole data belonging to 4.46 million individuals.

Stolen data includes names, Social Security numbers and dates of birth, according to a disclosure filed with the state of Texas. TransUnion says hackers did not access credit information. “The incident involved unauthorized access to limited personal information for a very small percentage of U.S. consumers,” a spokesperson told media.

The firm, one of three major American credit rating bureaus, is telling victims that hackers obtained access through “a third-party application serving our U.S. consumer support operations.”

A company spokesperson did not respond to a query about whether the stolen data came from an instance of customer relationship management software Salesforce – which has been a target of a community of juvenile hackers known as ShinyHunters. In a wave of attacks that began earlier this summer, hackers impersonate IT support staff in phone-based vishing attacks, tricking employees into installing malicious versions of Salesforce’s Data Loader connected app. Victims have included Google and Cisco (see: Google and Cisco Report CRM Software Breaches Via Vishing).

BleepingComputer reported sources including a ShinyHunters representative confirmed the source was a Salesforce instance. The ShinyHunters representative asserted the group stole more than 13 million records, with 4.4 million records related to people in the United States, the outlet reported.

TransUnion is telling victims that they will get two years of free credit monitoring services – from TransUnion.

A residential proxy service is apparently paying Americans $250 a month to host laptops and turn their home into a possible exit node for hackers.

A Reddit user with the handle “Sacapoopie” in a now-deleted post wondered whether it is “stupid for me” to host laptops provided by DSLRoot on a separate network wired to his house. “They just sit there and I get paid for it. The company pays the internet bill too,” Sacapoopie wrote.

The Reddit poster said DSLRoot shipped two laptops to his home which were hardwired into a modem and DSL port, and that they ran a proprietary program spawning multiple command windows and establishing outbound connections. The devices were kept on 24/7. Sacapoopie in other posts has said he’s a member of the U.S. Air National Guard.

DSLRoot confirmed the arrangement, Sacapoopie later said on Wednesday, reproducing what he said was the company’s “official response.” DSLRoot told Sacapoopie that it has recruited “regional agents” since 2012 “and never had any legal issues.”

Residential proxy services have legitimate applications, such as ad verification or competitive market research – but it’s no secret that hackers prize residential proxies. Nation states often construct their own botnets of compromised internet of things devices to obfuscate their operations (see: Chinese Hackers Turn Unpatched Routers Into ORB Spy Network).

Sacapoopie said DSLRoot doesn’t allow illegal activity, and that “people doing credit card fraud or other stupid things won’t pay $190/month for a package….there are much cheaper options for that.” The firm also said its proxies “are much slower than regular ‘static’ junk botnet proxies so there is no reason for anyone to use our ‘expensive+slow+dynamic’ solution” for cybercrime.

Independent cybersecurity reporter Brian Krebs tied DSLRoot’s origins to Russia and Eastern Europe.

Law enforcement agencies disrupted cybercrime networks and threat actors operating across the African continent and beyond, Interpol disclosed on Friday.

In an orchestrated crackdown dubbed Operation Serengeti 2.0, more than two dozen countries including 18 African nations and the United Kingdom arrested 1,209 suspects connected to cybercrimes that affected 88,000 individuals. Authorities said they recovered $97.4 million and dismantled “11,432 malicious infrastructures” between June and August.

The operation is a follow up to a similar effort in 2024. TRM Labs said blockchain analysis led investigators in Ghana to identify money laundering infrastructure tied to the Bl00dy ransomware group, an offshoot of the Russian-speaking Conti ransomware group (see: Conti’s Legacy: What’s Become of Ransomware’s Most Wanted?).

In Zambia, authorities put an end to an elaborate crypto investment scamming platform. The cybercrime ring behind the platform is credited with defrauding roughly 65,000 victims, generating financial losses estimated at $300 million. Police found forged passports, smartphones, SIM cards and servers among the group’s possession.

Authorities in Angola uncovered 25 illegal cryptomining facilities maintained by 60 Chinese nationals. The crackdown identified 45 unsanctioned electricity stations and IT equipment valued at $37 million.

Operation Serengeti 2.0 marks one of the largest coordinated cybercrime crackdowns in Africa’s history. “Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” said Valdecy Urquiza, Interpol secretary general.

Cybersecurity researchers at Check Point uncovered a social engineering campaign they dub ZipLine targeting supply chain-critical industries with a stealthy in-memory malware called MixShell.

Unlike typical phishing campaigns, attackers initiate contact through a company’s public “Contact Us” form, opening weeks-long conversations that appear professional and credible. Victims are even asked to sign fake non-disclosure agreements before receiving a malicious ZIP file.

The weaponized archives contain Windows shortcut LNK files that launch PowerShell loaders, eventually deploying MixShell. The malware supports remote command execution, file operations, reverse proxying, persistence through DNS tunneling and HTTP fallback. A PowerShell variant includes sandbox evasion and anti-debugging techniques.

Check Point said that many malicious ZIPs are hosted on HerokuApp, a legitimate cloud platform, enabling attackers to blend in with normal traffic. The campaign also abuses abandoned domains of U.S.-registered LLCs to add legitimacy and bypass security filters.

Targets are spread globally but with emphasis on U.S. industrial manufacturing, semiconductors, consumer goods, biotech and pharmaceuticals. Other victims have been seen in Singapore, Japan and Switzerland.

Researchers linked the infrastructure used in ZipLine to a cluster known as UNK_GreenSec, previously observed in TransferLoader attacks by Zscaler and Proofpoint.

A cyberattack on Miljödata, a key IT systems supplier for Sweden’s municipalities disrupted services in more than 200 regions and raised concerns over stolen sensitive data, reported daily newspaper Aftonbldet.

The Swedish software firm provides work environment and HR management systems used by about 80% of municipalities for handling medical certificates, rehabilitation, occupational injuries and incident reporting. Attackers demanded a ransom of 1.5 bitcoin – about $168,000 – in exchange for not leaking stolen information.

Miljödata CEO Erik Hallén reported the incident on Aug. 25, said national public television broadcaster Sveriges Television.

The Maryland Transit Administration underwent a ransomware attack that has disrupted its paratransit service for disabled riders. The agency currently cannot process new requests.

In a statement, MTA confirmed “unauthorized access to certain systems” and said it is working with the Maryland Department of Information Technology to investigate and restore services. The agency stressed that core transit services are unaffected.

A cyberespionage group tracked by Recorded Future’s Insikt Group as TAG-144, ramped up operations against South American government agencies, particularly in Colombia. Active since 2018, the group relies on commodity remote access Trojans such as AsyncRAT, Remcos and XWorm, typically delivered through spear-phishing emails posing as tax or judicial notices.

Analysts at Recorded Future report that since mid-2025, activity has accelerated, with five distinct clusters deploying fresh infrastructure and abusing legitimate internet services to stage malware.

Initial access is usually gained through compromised or spoofed government email accounts, luring victims to open malicious documents or SVG files containing embedded JavaScript. The scripts download second-stage loaders from services such as Paste.ee or Discord’s content delivery network. Recorded Future identified multiple compromised Colombian government accounts distributing fake legal summonses.

TAG-144’s campaigns often result in credential theft, data exfiltration and extortion, with Colombian federal and municipal agencies hit hardest. The group employs familiar tools – dynamic DNS domains, open-source RATs and stolen crypters – but has recently adopted steganography and domain generation algorithms, complicating detection.

One advanced technique involves hiding a Base64-encoded .NET assembly inside JPEG images hosted on Archive.org. A malicious PowerShell script locates embedded byte markers, extracts the payload in memory and executes it without writing to disk, evading antivirus detection. Coupled with dynamic domain resolution via services like duckdns.org and noip.com, this approach enables resilient, agile command-and-control infrastructure.

Other Stories From Last Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and David Perera in Northern Virginia.