Brazil alert hack sends ‘alien attack’ warnings; legacy D-Link routers hijacked, and more cybersecurity news
Publish Date: 2026-06-27 00:00:00
Source Domain: forklog.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
This week’s key cybersecurity developments.
Here are the week’s key cybersecurity developments.
Canada’s spy agency used a court order to remotely clean citizens’ devices for the first time.
A macOS infostealer bypassed AI-based analysis using fake error injections.
Europol dismantled a distribution network for the Amadey and StealC malware.
In Brazil, hackers sent emergency alerts about an “alien attack.”
Canada’s spy agency uses court order for remote device cleanup for the first time
Canada’s intelligence service received an unprecedented court order authorizing remote intervention on infected servers, home routers, and IoT devices in the country, Todayville reported.
The botnets operated as traffic relays. By routing data through compromised equipment, attackers masked themselves as ordinary home users or internet providers. This allowed them to covertly scan networks of critical infrastructure (including the energy sector) as well as Canadian government and military agencies.
Targets for cleanup included Canada-based servers, routers for small businesses and homes, and smart devices such as doorbells, security cameras, TVs, and other Wi-Fi–enabled equipment.
The Federal Court of Canada declassified a public version of the order only in mid-June 2026, although it was issued more than two years earlier. The ruling emphasizes that no personal data was intercepted and any incidentally collected information was immediately destroyed.
Media reports point to outdated hardware as a key factor in such attacks. Malware is deployed on IoT devices with factory-default passwords or on equipment that is no longer supported.
Researchers at XLab confirmed this. They found a previously unknown botnet called AryStinger that abused legacy D-Link home routers, models DIR-850L and DIR-818LW.
During the campaign, attackers compromised more than 4,000 routers, turning them into proxies to relay malicious traffic and perform distributed tasks.
According to the researchers, beyond using devices as a launchpad for attacks, AryStinger can tamper with DNS settings, intercept victims’ browser sessions, and covertly monitor and steal all inbound and outbound network traffic. About 48% of infections were in South Korea, China, Sweden, Malaysia, and Singapore.
macOS infostealer bypasses AI analysis with fake error injections
SentinelOne researchers reported new macOS malware dubbed Gaslight. The infostealer specifically targets AI-based automated code analysis and reverse-engineering tools.
Analysts attribute the malware to North Korean hackers with high confidence. In addition to standard backdoor and data-theft functionality, the Gaslight file hides a special 3.5 KB loader. It contains 38 fabricated system messages formatted with Markdown and templates.
Fake error messages. Source: SentinelOne.
These strings act as prompt injections for LLM models. The fake messages imitate developer logs, crash reports, memory overflow errors, and token-expiration warnings. Their goal is to make the AI agent doubt the integrity of its own analysis session.
By feeding this context to AI platforms, attackers expect the model to stop working, truncate the report, or refuse to continue analyzing a “corrupted” sample, citing non-existent technical errors, the researchers said.
Europol dismantles networks spreading Amadey and StealC
Europol, working with law enforcement from a dozen countries and Microsoft specialists, dismantled distribution networks for the SocGholish, Amadey, and StealC malware.
The Amadey trojan served as a loader to gain initial access, after which it deployed the StealC infostealer. StealC focused on stealing passwords, credit card data, and wallet seed phrases.
The coordinated operation resulted in:
seizure of 326 servers and 142 domains;
identification and freezing of cryptoassets worth more than $47 million;
seizure of a database containing over 27 million stolen credentials;
cleanup of about 15,000 WordPress sites that attackers had previously compromised to covertly distribute SocGholish under the guise of system updates.
In Hong Kong, police arrested members of the syndicate’s financial arm, the South China Morning Post reported.
The 69 detainees, aged 18 to 60, were part of a group that specialized in laundering proceeds from cross-border investment fraud using cryptocurrencies.
To obscure trails and legitimize illicit funds, the group used a sprawling network of fake accounts registered to straw persons (drops). Police estimate the group laundered about $25.6 million.
In Brazil, hackers sent emergency alerts about an “alien attack”
Overnight on June 19–20, 2026, Brazil’s national emergency alert system (Defesa Civil Alerta) came under cyberattack, G1 reported.
Following the breach, residents of several states received “emergency warnings” accompanied by loud sirens on their smartphones — the signal triggered even on devices set to silent mode.
Instead of real alerts about natural disasters, the attackers sent 10 messages with incoherent, odd text. Most included the word “misanthropy,” slang, and typos; in some regions the alerts even warned of a supposedly underway “alien attack.”
Source: G1.
According to preliminary data from the Ministry of Integration and Regional Development, the attack targeted the government’s Cell Broadcast mechanism.
Attackers likely compromised Civil Defense employee accounts. With access to the platform, they remotely initiated a highest-priority alert (Alerta Extremo), which bypasses smartphone sound and notification restrictions.
To stop the spam attack, authorities took extreme measures: at 1:30 a.m., servers of the alert system were forcibly shut down. At the time of writing, the Defesa Civil Alerta platform had been partially restored, but the right to send alerts was reserved exclusively for the National Center for Risk and Disaster Management.
ZachXBT reveals the identity of a hacker detained in Poland
European law enforcement, supported by the FBI and the U.S. Department of Homeland Security, arrested four members of a hacking group, Poland’s Central Bureau for Combating Cybercrime (CBZC) said.
The suspects are accused of SIM-swapping attacks, stealing digital assets from crypto exchanges, and large-scale money laundering.
According to investigators, the group used specialized software and social engineering to compromise the IT infrastructure of companies working with telecom operators. After gaining access to employee email, they illegally cloned victims’ phone numbers.
The interception let the attackers bypass two-factor authentication, take over user accounts on crypto exchanges, and withdraw digital assets.
The stolen funds were laundered through a complex distributed financial network that included:
personal bank accounts in Poland and abroad;
international payment platforms;
crypto wallets.
The total amount laundered is estimated at tens of millions of Polish zloty. All four suspects face up to 25 years in prison.
Authorities did not disclose the detainees’ identities, but on-chain researcher ZachXBT said one of them is Wojtek Kulis — a Polish hacker specializing in social engineering, known online as Merry.
https://t.me/investigations/344
The analyst drew this conclusion by matching designer clothing and jewelry seen in police raid footage with items Kulis had previously showcased on his Instagram account.
Also on ForkLog:
Polymarket will compensate losses for users after an attack via a contractor.
In Bristol, authorities disabled AI models for child-crime risk due to errors.
South Korea’s regulator fined Bithumb over a data breach.
The U.S. Department of Justice seized infrastructure of Huione Group’s “crypto laundering” operation.
16 million ADA were withdrawn from SecondFi wallets.
Thailand linked illegal mining to laundering $300 million.
Five Eyes warned of accelerating AI-enabled cyberattacks.
The crypto industry set a record for the number of hacks.
A hacker breached the Taiko L2 network.
Axelar reported a $4.67 million breach of its bridge with Secret Network.
MEV bot Jaredfromsubway.eth lost more than $7.5 million.
What to read over the weekend?
The gap between dollar and euro stablecoins isn’t measured in percentages — it’s 200x. In a new piece, ForkLog examines why the EU lost a “blockchain race” that barely started and how the situation could be improved.
Follow ForkLog on social media
Found a mistake in the text? Select it and press CTRL+ENTER
