{"id":237911,"date":"2026-06-27T00:00:00","date_gmt":"2026-06-27T04:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/27\/brazil-alert-hack-sends-alien-attack-warnings-legacy-d-link-routers-hijacked-and-more-cybersecurity-news\/"},"modified":"2026-06-27T01:00:22","modified_gmt":"2026-06-27T05:00:22","slug":"brazil-alert-hack-sends-alien-attack-warnings-legacy-d-link-routers-hijacked-and-more-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/27\/brazil-alert-hack-sends-alien-attack-warnings-legacy-d-link-routers-hijacked-and-more-cybersecurity-news\/","title":{"rendered":"Brazil alert hack sends \u2018alien attack\u2019 warnings; legacy D-Link routers hijacked, and more cybersecurity news"},"content":{"rendered":"

Brazil alert hack sends \u2018alien attack\u2019 warnings; legacy D-Link routers hijacked, and more cybersecurity news<\/a><\/p>\n

https:\/\/forklog.com\/en\/brazil-alert-hack-sends-alien-attack-warnings-legacy-d-link-routers-hijacked-and-more-cybersecurity-news\/<\/a><\/p>\n

Publish Date: 2026-06-27 00:00:00<\/a><\/p>\n

Source Domain: forklog.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

This week\u2019s key cybersecurity developments.<\/p>\n

\t\t\t Here are the week\u2019s key cybersecurity developments.<\/p>\n

Canada\u2019s spy agency used a court order to remotely clean citizens\u2019 devices for the first time.
\nA macOS infostealer bypassed AI-based analysis using fake error injections.
\nEuropol dismantled a distribution network for the Amadey and StealC malware.
\nIn Brazil, hackers sent emergency alerts about an \u201calien attack.\u201d<\/p>\n

Canada\u2019s spy agency uses court order for remote device cleanup for the first time
\nCanada\u2019s intelligence service received an unprecedented court order authorizing remote intervention on infected servers, home routers, and IoT devices in the country, Todayville reported.
\nThe botnets operated as traffic relays. By routing data through compromised equipment, attackers masked themselves as ordinary home users or internet providers. This allowed them to covertly scan networks of critical infrastructure (including the energy sector) as well as Canadian government and military agencies.
\nTargets for cleanup included Canada-based servers, routers for small businesses and homes, and smart devices such as doorbells, security cameras, TVs, and other Wi-Fi\u2013enabled equipment.
\nThe Federal Court of Canada declassified a public version of the order only in mid-June 2026, although it was issued more than two years earlier. The ruling emphasizes that no personal data was intercepted and any incidentally collected information was immediately destroyed.
\nMedia reports point to outdated hardware as a key factor in such attacks. Malware is deployed on IoT devices with factory-default passwords or on equipment that is no longer supported.
\nResearchers at XLab confirmed this. They found a previously unknown botnet called AryStinger that abused legacy D-Link home routers, models DIR-850L and DIR-818LW.
\nDuring the campaign, attackers compromised more than 4,000 routers, turning them into proxies to relay malicious traffic and perform distributed tasks.
\nAccording to the researchers, beyond using devices as a launchpad for attacks, AryStinger can tamper with DNS settings, intercept victims\u2019 browser sessions, and covertly monitor and steal all inbound and outbound network traffic. About 48% of infections were in South Korea, China, Sweden, Malaysia, and Singapore.
\nmacOS infostealer bypasses AI analysis with fake error injections
\nSentinelOne researchers reported new macOS malware dubbed Gaslight. The infostealer specifically targets AI-based automated code analysis and reverse-engineering tools.
\nAnalysts attribute the malware to North Korean hackers with high confidence. In addition to standard backdoor and data-theft functionality, the Gaslight file hides a special 3.5 KB loader. It contains 38 fabricated system messages formatted with Markdown and templates.
\nFake error messages. Source: SentinelOne.
\nThese strings act as prompt injections for LLM models. The fake messages imitate developer logs, crash reports, memory overflow errors, and token-expiration warnings. Their goal is to make the AI agent doubt the integrity of its own analysis session.
\nBy feeding this context to AI platforms, attackers expect the model to stop working, truncate the report, or refuse to continue analyzing a \u201ccorrupted\u201d sample, citing non-existent technical errors, the researchers said.
\nEuropol dismantles networks spreading Amadey and StealC
\nEuropol, working with law enforcement from a dozen countries and Microsoft specialists, dismantled distribution networks for the SocGholish, Amadey, and StealC malware.
\nThe Amadey trojan served as a loader to gain initial access, after which it deployed the StealC infostealer. StealC focused on stealing passwords, credit card data, and wallet seed phrases.
\nThe coordinated operation resulted in:<\/p>\n

seizure of 326 servers and 142 domains;
\nidentification and freezing of cryptoassets worth more than $47 million;
\nseizure of a database containing over 27 million stolen credentials;
\ncleanup of about 15,000 WordPress sites that attackers had previously compromised to covertly distribute SocGholish under the guise of system updates.<\/p>\n

In Hong Kong, police arrested members of the syndicate\u2019s financial arm, the South China Morning Post reported.
\nThe 69 detainees, aged 18 to 60, were part of a group that specialized in laundering proceeds from cross-border investment fraud using cryptocurrencies.
\nTo obscure trails and legitimize illicit funds, the group used a sprawling network of fake accounts registered to straw persons (drops). Police estimate the group laundered about $25.6 million.
\nIn Brazil, hackers sent emergency alerts about an \u201calien attack\u201d
\nOvernight on June 19\u201320, 2026, Brazil\u2019s national emergency alert system (Defesa Civil Alerta) came under cyberattack, G1 reported.
\nFollowing the breach, residents of several states received \u201cemergency warnings\u201d accompanied by loud sirens on their smartphones \u2014 the signal triggered even on devices set to silent mode.
\nInstead of real alerts about natural disasters, the attackers sent 10 messages with incoherent, odd text. Most included the word \u201cmisanthropy,\u201d slang, and typos; in some regions the alerts even warned of a supposedly underway \u201calien attack.\u201d
\nSource: G1.
\nAccording to preliminary data from the Ministry of Integration and Regional Development, the attack targeted the government\u2019s Cell Broadcast mechanism.
\nAttackers likely compromised Civil Defense employee accounts. With access to the platform, they remotely initiated a highest-priority alert (Alerta Extremo), which bypasses smartphone sound and notification restrictions.
\nTo stop the spam attack, authorities took extreme measures: at 1:30 a.m., servers of the alert system were forcibly shut down. At the time of writing, the Defesa Civil Alerta platform had been partially restored, but the right to send alerts was reserved exclusively for the National Center for Risk and Disaster Management.
\nZachXBT reveals the identity of a hacker detained in Poland
\nEuropean law enforcement, supported by the FBI and the U.S. Department of Homeland Security, arrested four members of a hacking group, Poland\u2019s Central Bureau for Combating Cybercrime (CBZC) said.
\nThe suspects are accused of SIM-swapping attacks, stealing digital assets from crypto exchanges, and large-scale money laundering.
\nAccording to investigators, the group used specialized software and social engineering to compromise the IT infrastructure of companies working with telecom operators. After gaining access to employee email, they illegally cloned victims\u2019 phone numbers.
\nThe interception let the attackers bypass two-factor authentication, take over user accounts on crypto exchanges, and withdraw digital assets.
\nThe stolen funds were laundered through a complex distributed financial network that included:<\/p>\n

personal bank accounts in Poland and abroad;
\ninternational payment platforms;
\ncrypto wallets.<\/p>\n

The total amount laundered is estimated at tens of millions of Polish zloty. All four suspects face up to 25 years in prison.
\nAuthorities did not disclose the detainees\u2019 identities, but on-chain researcher ZachXBT said one of them is Wojtek Kulis \u2014 a Polish hacker specializing in social engineering, known online as Merry.
\nhttps:\/\/t.me\/investigations\/344
\nThe analyst drew this conclusion by matching designer clothing and jewelry seen in police raid footage with items Kulis had previously showcased on his Instagram account.
\nAlso on ForkLog:<\/p>\n

Polymarket will compensate losses for users after an attack via a contractor.
\nIn Bristol, authorities disabled AI models for child-crime risk due to errors.
\nSouth Korea\u2019s regulator fined Bithumb over a data breach.
\nThe U.S. Department of Justice seized infrastructure of Huione Group\u2019s \u201ccrypto laundering\u201d operation.
\n16 million ADA were withdrawn from SecondFi wallets.
\nThailand linked illegal mining to laundering $300 million.
\nFive Eyes warned of accelerating AI-enabled cyberattacks.
\nThe crypto industry set a record for the number of hacks.
\nA hacker breached the Taiko L2 network.
\nAxelar reported a $4.67 million breach of its bridge with Secret Network.
\nMEV bot Jaredfromsubway.eth lost more than $7.5 million.<\/p>\n

What to read over the weekend?
\nThe gap between dollar and euro stablecoins isn\u2019t measured in percentages \u2014 it\u2019s 200x. In a new piece, ForkLog examines why the EU lost a \u201cblockchain race\u201d that barely started and how the situation could be improved.<\/p>\n

\t\t\t\tFollow ForkLog on social media<\/p>\n

Found a mistake in the text? Select it and press CTRL+ENTER<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Brazil alert hack sends \u2018alien attack\u2019 warnings; legacy D-Link routers hijacked, and more cybersecurity news…<\/p>\n","protected":false},"author":1,"featured_media":237912,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/forklog.com\/wp-content\/uploads\/img-b5d7b9875a5427f0-4082029324633328.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,35,36,17,32],"class_list":["post-237911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-hacker","tag-infostealer","tag-llm","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237911"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=237911"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237911\/revisions"}],"predecessor-version":[{"id":237913,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237911\/revisions\/237913"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/237912"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=237911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=237911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=237911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}