Introduction

The weekly Cybersecurity Bulletin report has been prepared by the ECHO team to summarize and inform about cybersecurity incidents that have occurred in recent weeks.

---

Executive Summary

This bulletin:

• Up-to-date information on cyber threats such as attacks, data leaks, malware, ransomware and critical security vulnerabilities is provided.
• Our security team analyzes these threats and prepares the weekly bulletin to minimize possible risks.

---

Ransomware of the Week: Ransomware Spreads Through Visual Studio Code Extensions: A New Threat to Developers

General Summary

Two malicious extensions for Visual Studio Code (VSCode) have targeted developers by distributing ransomware. These add-ons have bypassed Microsoft’s review processes and installed malware on users’ systems.

Detected malicious add-ons:

• ahban.shiba
• ahban.cychelloworld

These add-ons download and run a in-development ransomware via PowerShell commands.

---

Malware Details

• Add-on Names:
• ahban.cychelloworld – Uploaded: October 27, 2024 – 7 downloads
• ahban.shiba – Uploaded: February 17, 2025 – 8 downloads
• Status: Removed from the store after being detected by Microsoft.

MITRE ATT&CK Related Techniques

• T1059.001 – Command and Script Interpreter: PowerShell
• T1105 – Remote File Transfer
• T1486 – Data Encryption (Ransomware)

---

Technical Details

Malware Impact

These plugins download and execute ransomware from a remote server hosted on Amazon AWS via PowerShell commands. The ransomware encrypts files in a folder named testShiba on the user’s desktop and then displays a warning saying “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to get them back.” This ransomware is still in development and only affects files in the specified folder.

• Encrypted folder: C:\Users\%username%\Desktop\testShiba
• Message displayed to the user after encryption: “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to get them back.”

Malware Functions

The plugins download and execute ransomware from a remote server via PowerShell commands. The downloaded ransomware encrypts files in a specific folder and displays a warning message to the user requesting payment. This process indicates that the attackers are testing or developing the ransomware.

Malware of the Week: StilachiRAT: A Stealthy and Dangerous Remote Access Trojan

General Summary

StilachiRAT is an advanced remote access trojan discovered by Microsoft in November 2024, which has survived to the present day and has the ability to evade detection and persist on target systems. is a trojan horse (RAT). This malware steals sensitive data such as credentials stored in the browser, digital wallet information, data copied to the clipboard, and system information.

---

Malware Details

• Malware Name: StilachiRAT
• Type: Remote Access Trojan (RAT)
• Targets:
• Credentials stored in the browser
• Cryptocurrency wallets
• Data copied to the clipboard
• System information
• Date Detected: November 2024
• Platform: Windows

MITRE ATT&CK Techniques:

• T1027 – Obfuscated Files or Information (Malicious code obscuration)
• T1059 – Command and Scripting Interpreter (Payload execution via PowerShell)
• T1082 – System Information Discovery (Collecting system information)

---

Technical Details

Malware Impact

StilachiRAT has the following capabilities:

System Discovery:

• Collects comprehensive system information such as operating system details, hardware identifiers (e.g. BIOS serial numbers), camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications.

Targeting Cryptocurrency Wallets:

• Collects 20 different cryptocurrency wallets installed on the Google Chrome browserscans and steals the configuration data of the extension. Targeted wallet extensions include

Some of the targeted wallet extensions:

• **Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, Plug **

Credential Theft:

• Extracts credentials stored in the Google Chrome browser and periodically collects the contents of the clipboard to obtain sensitive data such as passwords and cryptocurrency wallet keys.

Command and Control (C2) Communication:

• Establishes two-way communication with remote servers, allowing attackers to send remote commands to the target system. Supported commands include: , Display a dialog box with HTML content, Clear event log entries, Shut down the system, Start a specified application, Manage network connections, Put the system to sleep or hibernate, Steal Google Chrome passwords
• Attackers can send remote commands via StilachiRAT.

---

Malware Working Principle

• **StilachiRAT is contained in a DLL module named WWStartupCtrl64.dll and uses the following methods.
• Gathers system information using the WMI Query Language (WQL).
• Cleans event logs to avoid detection and disables analytics tools.
• Encrypts and transmits data stealing operations to C2 servers.

---

Attack Tactic of the Week: CSS-Based Bypass Tactics: Cybercriminal’s New Trick

General Summary

Threat actors use CSS (Cascading Style Sheets) uses a new technique.

With this method, malicious codes are hidden in CSS files and loaded by email clients or browsers.

Most security software has difficulty detecting malicious content in CSS files because they focus on JavaScript or HTML-based threats.

This method also makes it possible to evade spam filters and monitor users’ email interactions.

---

Details and MITRE ATT&CK Techniques

• Type: Content hiding via CSS / malicious payload download (stealth malvertising)
• Distribution Method:
• Phishing emails
• Malicious CSS links added to web pages
• MITRE ATT&CK Techniques:
• T1566 – Phishing (Spreading malicious links via emails)
• T1036 – Masquerading (Hiding malicious code within CSS files)
• T1105 – Ingress Tool Transfer (Downloading hidden malicious modules)

---

Technical Details

Impact of the Vulnerability

With this method, attackers can:

Inserting Hidden Content:

• Invisible text can be added to emails using CSS properties such as text-indent and opacity.
• Malicious links can be hidden in encrypted form within CSS to bypass spam filters.

User Tracking:

• With @media at-rules, user’s screen size, language preference and whether or not they are viewing the email can be monitored.

Escape Security Filters:

• Since the malicious content is hidden in CSS instead of HTML/JavaScript, most security software can bypass it.

Automatic Load Triggering:

• CSS can be automatically executed while the page is rendered, thus loading malware.

Downloading Additional Malicious Components:

• CSS can be embedded with data URIs or malicious links and malicious files can be downloaded in the background.

---

Functions of the Vulnerability

Attackers hide malicious content by abusing the following CSS properties:

• text-indent: -9999px → Makes the text invisible.
• opacity: 0 → Makes the text completely transparent.
• @media print → Monitors user behavior by adding hidden text when the email is printed.

For example, a base64 encrypted payload can be stored in a CSS file. The browser or email client can download this payload from the CSS file under the guise of a “background-image” or similar property.

div {
background-image: url("data:image/png;base64,PHN..."); /* Malicious base64 code */
}

Another technique is to use the CSS content property to insert hidden text as the page loads:

span::after {
content: "echomalware"; /* Malicious text that is not visible on the page */
display: none;
}

Phishing Campaign of the Week: New Ad Scam Using 331 AppsCampaign: Phishing and Intrusive Ads with Over 60 Million Downloads

• Type: Ad fraud and mobile malware
• Modes of Activity:
• Malicious code added to mobile applications
• False ad clicks running in the background
• Invisible generating bot traffic with ad layers
• MITRE ATT&CK Techniques:
• T1407 (Application Layer Protocol on Mobile): Directing ad traffic with covert communication at the application layer
• T1476 (Deliver Malicious App): Providing malicious functionality by injecting malicious code into mobile applications
• T1496 (Resource Hijacking): Performing ad fraud using the device’s processor and network resources

---

Campaign Details

• Number of Affected Applications: 331
• Total Downloads: 60 million+
• Techniques Used:
• Phishing attacks
• Full-screen ads
• Device resource abuse

---

Technical Details

Versioning Technique

• Attackers release apps that initially appear harmless and pass Google Play audits.
• Later, malicious functionality is added via malicious updates.

Full-screen Ads and Phishing

• Ads take up the entire screen of the device, forcing the user to interact.
• Fake login pages are used to steal users’ credit card and credentials.

Evading Detection

• Apps disguise themselves and remove their icons from the launcher.
• Execute malicious functionality by imitating legitimate apps like Google Voice.

---

Malware Impact

Fake Ad Impressions and Clicks

• Apps generate automatic clicks by loading invisible ads in the background.
• Attackers increase advertising revenues through fake interactions.

Device Resource Consumption

• Processor power and network bandwidth are secretly used, which reduces device performance.
• Mobile data consumption is increasing, rapidly consuming users’ internet packages.

Advertising Networks Suffer Damage

• Advertisers are harmed by generating bot traffic instead of real users.
• Advertising networks are losing their reputation as market reliability is damaged.

---

Code or Functions

• An SDK or library that generates fake ad requests is embedded into applications.
• WebView is opened in the background, creating invisible ad impressions and clicks.
• Some malicious apps initially release clean versions to comply with Google Play policies and add malicious functionality with malicious updates.

---

Developer Phishing Campaign of the Week: Malicious Packages to Steal Cloud Provider Credentials Downloaded Over 14,100 Times on PyPI

List of Packages and Download Counts**

First Group (Data Stealing Packages)

Package Name	Download Count
snapshot-photo	2,448
time-check-server	316
time-check-server-get	178
time-server-analysis	144
time-server-analyzer	74
time-server-test	155
time-service-checker	151

Second Group (Packages that Emulate Cloud Clients)

Package Name	Download Count
aclient-sdk	120
acloud-client	5,496
acloud-clients	198
acloud-client-uses	294
alicloud-client	622
alicloud-client-sdk	206
amzclients-sdk	100
awscloud-clients-core	206
credential-python-sdk	1.155
enumer-iam	1.254
tclients-sdk	173
tcloud-python-sdks	98
tcloud-python-test	793

All these packages have been removed from PyPI. If you used any of these packages, change your API keys and reset your environment variables.

---

Malware Functions

• The malicious code added to setup.py or init.py files scans for credentials (e.g. ~/.aws/credentials, environmental API keys).
• The collected data is sent via HTTP POST request or DNS exfiltration methods.forwarded to the attacker server.
• The probability of downloading without being noticed is increased by using the typo-squatting method.

---

Technical Details

• The acloud-client, enumer-iam and tcloud-python-test packages are listed as dependencies in the “accesskey_tools” project on GitHub.
• This project has been starred 519 times and forked 42 times, causing malicious packages to be included in projects without being noticed.
• tcloud-python-test has been available on PyPI since November 8, 2023 and has been downloaded 793 times.

---

Malware Impact

1. Unauthorized Access to Cloud Resources:

• Stolen AWS Access Key, GCP Service Account JSON files, Azure credentials can allow the attacker to manipulate cloud resources, exfiltrate data, or incur additional costs.

2. Malicious Code Injection into Code Projects:

• Malicious code can be triggered at compile time or runtime, and the attacker can move laterally in the cloud environment.

3. Supply Chain Risk:

• Developers can add the malicious package to the project without realizing it; this can cause chained vulnerabilities in dependent projects.

Featured Vulnerabilities of the Week

Veeam and IBM Release Updates for Critical Vulnerabilities

Description

Veeam and IBM have released updates to address high-risk vulnerabilities discovered in their backup and operating systems. These vulnerabilities could allow attackers to remotely execute code, which could pose a serious threat to system security.

---

Vulnerability Details

Veeam Backup & Replication – Remote Code Execution Vulnerability

• CVE Code: CVE-2025-23120
• Description: A vulnerability that allows authenticated users to remotely execute code.
• Versions Affected:
• 12.3.0.310 and all prior 12 versions
• CVSS Score: 9.9 / 10 (Critical)
• Remedy:
• The vulnerability is fixed in 12.3.1 (build 12.3.1.1139).

Critical Vulnerabilities in IBM AIX Operating System

CVE-2024-56346

• Description: An access control vulnerability that allows remote command execution via the AIX nimesis NIM master service.
• Versions Affected: AIX 7.2 and 7.3
• CVSS Score: 10.0 / 10 (Critical)

CVE-2024-56347

• Description: An access control vulnerability that allows remote command execution via the AIX nimsh service via the SSL/TLS protection mechanism.
• Affected Versions: AIX 7.2 and 7.3
• CVSS Score: 9.6 / 10 (Critical)
• Resolution:
• IBM has released security updates to address these vulnerabilities.

---

Technical Details

Impact of Vulnerability in Veeam Backup & Replication

• CVE-2025-23120 is due to an inconsistency in Veeam’s serialization mechanism.
• Attackers can execute remote code by using certain classes.
• Particularly at-risk components:
• Veeam.Backup.EsxManager.xmlFrameworkDs
• Veeam.Backup.Core.BackupSummary

Impact of Vulnerabilities in IBM AIX

• CVE-2024-56346 and CVE-2024-56347 allow remote command execution on AIX systems.
• Cause:
• Access control deficiencies in the nimesis NIM master service and nimsh service.

---

Unpatched Zero-Day Vulnerability in Microsoft Windows: Exploited by 11 State-Sponsored Threat Groups Since 2017

General Summary

A zero-day vulnerability discovered in Microsoft Windows that has not yet been patched, It has been actively exploited by 11 threat actors supported by China, Iran, North Korea and Russia since 2017.

This vulnerability allows attackers to run malicious commands on the victim’s system via **specially crafted Windows Shortcut (.LNK) files.

---

Vulnerability Details

• Vulnerability Name: ZDI-CAN-25373
• Type: User Interface (UI) Critical Information Spoofing (CWE-451)
• Systems Affected: Microsoft Windows Operating Systems
• Date Discovered: 2017
• Source: Trend Micro Zero Day Initiative (ZDI)

---

Technical Details

Vulnerability Impact

• Attackers avoid detection by padding command line arguments in .LNK files with the following characters:
• Space (0x20)
• Horizontal tab (0x09)
• Line feed (0x0A)
• Verticaltab (0x0B)
• Form feed (0x0C)
• Carriage return (0x0D)
• With this method, malware can be infiltrated and executed on the victim’s system.

---

Threat Groups Exploiting the Vulnerability

Almost half of the 11 state-sponsored threat groups** exploiting the vulnerability originate from North Korea.**

Major APT (Advanced Persistent Threat) Groups:

Group Name	Area of ​​Activity
Evil Corp (Water Asena)	Conducts attacks for financial gain.
Kimsuky (Earth Kumiho)	Conducts cyber espionage activities.
Konni (Earth Imp)	Conducts espionage and information theft.
Bitter (Earth Anansi)	Conducts attacks against targets in South Asia.
ScarCruft (Earth Manticore)	Known as an advanced persistent threat (APT) group.

• These groups distribute malware such as Lumma Stealer, GuLoader, and Remcos RAT.
• Evil Corp used ZDI-CAN-25373 to distribute Raspberry Robin.

---

Cyber ​​Attackers Still Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility in Their Attacks. (CVE-2024-20439 and CVE-2024-20440)

General Summary

Two critical vulnerabilities identified in Cisco Smart Licensing Utility (SLU) as CVE-2024-20439 and CVE-2024-20440 The vulnerability is being actively exploited by attackers. Both vulnerabilities have a CVSS score of 9.8 and allow attackers to gain administrative privileges on the affected systems.

---

Vulnerability Details

CVE-2024-20439 – Undocumented (admin account that comes with the software) Static Administrator Account

This vulnerability is due to the presence of an undocumented static administrator user ID in the SLU. Attackers can use this ID to log into the affected system with administrative privileges.

CVE-2024-20440 – Overly Detailed Debug Logging

This vulnerability is due to the SLU generating overly detailed debug log files. Attackers can access these log files via a specially crafted HTTP request and obtain sensitive data, such as credentials, that can be used to access the API.

---

Technical Details

Impact of Vulnerabilities

Successful exploitation of these vulnerabilities:

• Provides unauthorized administrative access to the system.
• Leads to leakage of sensitive information (credentials, etc.).
• Seriously threatens network security.

Affected Versions

• Cisco Smart Licensing Utility
• 2.0.0
• 2.1.0
• 2.2.0
• Note: Versions 2.3.0 and later are not affected by these vulnerabilities.

---

Companies Subject to Ransomware Attacks

KYB Americas Corporation

• Group Name: Cactus
• Company Attacked: KYB Americas Corporation
• Sector: Technology / Automotive
• Impact: Exploitation of confidential engineering data, customer and partner information, financial data, and critical information related to manufacturing processes

KYB Americas Corporation was founded in 1974 and is headquartered in Greenwood, Indiana, USA. KYB manufactures original equipment shock absorbers and struts for automakers in the US and worldwide.

Types of Data Leaked:

• Confidential engineering data and drawings
• Personally identifiable information
• Customer and partner information
• Financial information
• Corporate business and marketing strategies
• Manufacturing data
• Correspondence
• HR department data
• Employee and manager files
• Database exports and backups

Wound Rule

rule CactusRule
{
strings:
$cactusStr = “CaCtUs.ReAdMe.txt”
$cactusHex = { 43 61 43 74 55 73 2e 52 65 41 64 4d 65 2e 74 78 74 }
condition:
$cactusStr or $cactusHex
}

rule CactusRansomware { 
meta:
 description = "rule to detect Cactus Ransomware"
 author = "ShadowStackRe.com"
 date = "2024-01-18"
 Rule_Version = "v1"
 malware_type = "ransomware"
 malware_family = "Cactus"
 License = "MIT License, https://opensource.org/license/mit/"
 hash = "9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a ,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
 strings:
 $strReadMe = "cAcTuS.readme.txt" wide
 $strLockExt = ".cts" wide
 $strTskName = "Updates Check Task" wide
 $strTskName2 = "Google Service Update"
 $strNTUSer = "ntuser.dat" wide
$strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)
}

ZB Zimmermann und Becker GmbH

• Group Name: Akira
• Company Attacked: ZB Zimmermann und Becker GmbH
• Sector: Manufacturing / Architecture and Planning
• Impact: Exfiltration of over 70 GB of corporate documents, financial data and employee/customer information

ZB Zimmermann und Becker GmbH is an architecture and planning firm that provides engineering, planning, design and object tracking services.

Types of Data Leaked:

• Pension insurance numbers
• Contact numbers and email addresses of employees and customers
• HR documents containing information about family members
• Financial data (audits, payment information, reports)
• Corporate licenses, agreements and contracts
• Internal corporate correspondence

####Yara Rule

/*
Akira ransomware
*/

rule Akira
{
meta:
author = "rivitna"
family = "ransomware.akira.windows"
description = "Akira ransomware Windows payload"
severity = 10
score = 100

strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
 $s6 = ":\\akira\\asio\\include\\" ascii
 $s7 = "\x00write_encrypt_info error: \x00" ascii
 $s8 = "\x00encrypt_part error: \x00" ascii
 $s9 = "\x00Detected number of cpus = \x00" ascii
 $s10 = "\x00No path to encrypt\x00" ascii
 $s11 = "Paste this link - https://akira" ascii
 $s12 = "\x00Trend Micro\x00" wide
 $s13 = "Failed to make full encrypt" ascii wide
 $s14 = "Failed to make spot encrypt" ascii wide
 $s15 = "Failed to make part encrypt" ascii wide
 $s16 = "Failed to write header" ascii wide
 $s17 = "file rename failed. System error:" ascii wide
 $s18 = "Number of threads to folder parsers = \x00" ascii
 $s19 = "Number of threads to encrypt = \x00" ascii
 $s20 = "Number of threads to root folder parsers = \x00" ascii
 $s21 = "Failed to read share files!\x00" ascii

 $h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
 49 F7 F2 4C 8B C8
 ( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
 41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
 41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
 48 8B C7 49 F7 F2 }
 $h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
 0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
 48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }

condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}

Assa Abloy AB

• Group Name: Cactus
• Company Attacked: Assa Abloy AB
• Sector: Manufacturing / Business Services
• Impact: Exfiltration of sensitive data including corporate strategies, financial data and personal information

Assa Abloy AB is a global leader in access solutions, operating in areas such as efficient door opening, reliable authentication and entrance automation. The company’s innovations provide safe, secure and convenient access to physical and digital spaces.

Types of Data Leaked:

• Corporate business strategies and processes
• Agreements and contracts
• Personally identifiable information (passports, driver’s licenses, contact information, home addresses, etc. of executives and other employees)
• Various internal confidential documents
• Audit documents
• Legal data
• Financial information and payrolls
• Sensitive corporate and personal correspondence
• Exports from databases

####Yara Rule

rule CactusRule
{
strings:
$cactusStr = “CaCtUs.ReAdMe.txt”
$cactusHex = { 43 61 43 74 55 73 2e 52 65 41 64 4d 65 2e 74 78 74 }
condition:
$cactusStr or $cactusHex
}

rule CactusRansomware {
 meta:
 description = "rule to detect Cactus Ransomware"
 author = "ShadowStackRe.com"
 date = "2024-01-18"
 Rule_Version = "v1"
 malware_type = "ransomware"
 malware_family= "Cactus"
 License = "MIT License, https://opensource.org/license/mit/"
 hash = "9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a ,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
 strings:
 $strReadMe = "cAcTuS.readme.txt" wide
 $strLockExt = ".cts" wide
 $strTskName = "Updates Check Task" wide
 $strTskName2 = "Google Service Update"
 $strNTUSer = "ntuser.dat" wide
 $strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)
}

What’s Happening in the Hacker Forum World

**5mileslab.com – Major Data Breach **

Date: March 17, 2025 Threat Actor: Alcxtraze Forum: BreachForums

Breach Details

• 8.39 million rows of data
• 1.27 GB in size (compressed in 7z format)
• Customer information
• Email addresses
• Marketing contact data
• Residential addresses
• Website numbers
• First and last name information

About the Company

5 Miles Lab is a digital advertising agency based in Hong Kong.

Working with brands such as McDonald’s, Apple, Samsung, Huawei, they provide creative campaigns, social CRM, design and production services.

A sample of the database has been shared, and a fee is required to access the full content.

UAE ​​Ministry of Education Data Leak – 293,468 Records Compromised!

• Date: March 14, 2025
• Threat Actor: Rey
• Forum: BreachForums
• Share:

 

In March 2025, a database belonging to the Ministry of Education of the United Arab Emirates was leaked. Forum user Rey shared this database, and it contains personal and academic information belonging to **293,468 students.

Breach Details:

• 293,468 records
• Student IDs (Local IDs)
• Names and email addresses
• Academic information (Grade levels, section details)
• School IDs and names
• Class and room descriptions

Vitalis Customer Service Data Leak – 202,579 Records Compromised!

• Date: March 18, 2025
• Threat Actor: placenta
• Forum: BreachForums
• Share:

In March 2025, 202,579 customer records belonging to France-based customer service provider Vitalis were compromised. Threat actor placenta stated that it obtained this data via SQL Injection (SQLi).

Violation Details:

• 202,579 customer records
• Name, email, phone number
• Company information (site, société)
• Identification numbers (ID, prenom, email, tel)