Clop Tied to Korean Air Vendor Breach

Also: China-Linked APT Hijack Updates, Condé Nast Data Leaked, La Poste Hit

Pooja Tikekar (@PoojaTikekar) •
January 1, 2026    

See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective

Korean Air Says 30,000 Employee Records Exposed After Vendor Cyberattack

Korean Air said that sensitive information pertaining to roughly 30,000 employees was compromised following a cyberattack on KC&D Service, the airline’s former in-flight catering and onboard sales subsidiary.

The airline in an internal notice to staff said KC&D, which was divested by Korean Air in December 2020, suffered a breach by an external hacking group that resulted in unauthorized access to servers storing employee data as part of the vendor’s enterprise resource planning system. The leaked data includes employee names and bank account numbers, according to the airline’s statement, reported Korea JoongAng Daily.

Security researchers tracking the larger campaign say the incident is part of an extortion operation by the Russian-speaking Clop ransomware group, which has been exploiting critical zero-day vulnerabilities in Oracle E-Business Suite, tracked CVE-2025-61882 and CVE-2025-61884, to gain unauthenticated remote code execution on vulnerable systems. The flaw has allowed attackers to exfiltrate sensitive corporate data from multiple victims before patches were available (see: Clop Attacks Against Oracle E-Business Suite Trace to July).

Clop is known for conducting high-volume attacks that exploit zero-day flaws in widely deployed systems like file transfer solutions, enabling them to compromise numerous companies within compressed timeframes.

Clop claimed responsibility for the KC&D attack in November and added the airline to its data leak site, publishing archives of allegedly stolen material and aligning the breach with a series of similar compromises involving other major entities including Harvard University, Envoy Air, Logitech and The Washington Post.

Evasive Panda Hijacks Software Updates to Deploy MgBot Malware

A China-linked advanced persistent threat group tracked as Evasive Panda has been using compromised software update mechanisms to deliver a custom backdoor, MgBot, to target victims, according to new research from Kaspersky.

The campaign, active between November 2022 and November 2024, relied on DNS poisoning and adversary-in-the-middle techniques to redirect legitimate software update requests to attacker-controlled servers. Victim systems resolved legitimate update domains to malicious IP addresses, causing them to unknowingly retrieve malicious installers instead of authentic software updates, the researchers said.

Attackers targeted update channels for video streaming platforms SohuVA and iQIYI Video as well as IObit Smart Defrag and Tencent QQ applications.

MgBot was deployed through a multi-stage execution chain that included DLL sideloading using a decade-old signed executable and process injection into svchost.exe. The malware established persistence and communicated with command-and-control servers using encrypted channels, employing in-memory execution to evade detection.

The researchers said each infection appeared to be customized, suggesting the activity was highly targeted rather than opportunistic. Telemetry data showed infections primarily in China, India and Turkey.

Evasive Panda, also tracked as Daggerfly, Bronze Highland and StormBamboo, has been active since at least 2014. Symantec assesses the group is well-resourced and capable of quickly updating its toolset to continue operations after public exposure.

Critical Zero-Day in XSpeeder SXZOS Firmware

Security researchers disclosed a critical, unauthenticated zero-day vulnerability affecting XSpeeder’s SXZOS firmware, potentially exposing more than 70,000 routers and SD-WAN devices worldwide. The flaw, tracked as CVE-2025-54322, resides in the product’s web interface.

The vulnerability enables remote code execution with root privileges without authentication, allowing attackers to fully compromise affected systems. The issue originates in Django-based web authentication logic that unsafely uses the eval() function on base64-decoded user input, enabling attackers to inject and execute malicious Python code via crafted HTTP requests. Multiple proof-of-concept exploits have been published on GitHub, increasing the likelihood of active exploitation.

The vulnerability carries a CVSS score of 10.0 and was unpatched at the time of disclosure. Researchers reported attempts to notify XSpeeder of the issue for more than seven months, but say the vendor has yet to issue security advisories or release fixes.

Hacker Leaks 2.3 Million Wired User Records After Condé Nast Breach

A threat actor using the alias “Lovely” leaked 2.3 million user records from Wired magazine, following an intrusion into systems belonging to parent company Condé Nast.

The actor portrayed themselves as a vulnerability reporter, according to the data breach blogger who runs the Databreaches.net site under the handle “Dissent Doe.”

“Lovely said they were simply trying to inform Condé Nast of a vulnerability” and claimed to have downloaded only a limited number of profiles as proof. Subsequent exchanges indicated the activity did not align with responsible disclosure, Dissent Doe said, and the actor later published the Wired dataset on at least two underground forums.

The exposed data includes email addresses and usernames, with a subset of records containing full names, phone numbers, dates of birth, gender and physical addresses, according to breach notification service Have I Been Pwned, which has validated the dataset. The records appear to reflect user data as of September.

The hacker also claimed access to a centralized Condé Nast database holding up to 40 million user records spanning other publications, including Vogue, The New Yorker and Vanity Fair, and threatened further leaks.

Condé Nast has not publicly confirmed the breach or detailed its scope.

Pro-Russian Group Claims DDoS Attack on French Postal Operator

Pro-Russian hacktivist group NoName057(16) claimed responsibility for a cyberattack that disrupted digital services at France’s national postal operator La Poste and its banking arm La Banque Postale.

The attack, which began on Dec. 22, disrupted La Poste’s website, parcel tracking systems and other online services during the peak holiday shipping period. The company said physical mail and parcel deliveries continued and that all digital services have since been restored.

NoName057(16) is known for DDoS operations run through its “DDoSia” project, using Telegram channels to coordinate attacks, recruit participants and publicize claims. The group incentivizes participation by paying top “hero” contributors in Ton cryptocurrency via a Telegram CryptoBot.

The group primarily targets entities perceived as hostile to Russian interests, such as government sites, media and state organizations in Ukraine, NATO and EU countries.

La Poste said there is no indication that customer or employee data was compromised in the incident.

Lithuanian Hacker Extradited to South Korea Over KMSAuto Malware Campaign

The Korean National Police Agency, working with Interpol, arrested a 29-year old Lithuanian national accused of distributing malware that siphoned cryptocurrency from infected systems worldwide.

The suspect is alleged to have embedded malicious code into the widely circulated KMSAuto Windows activation tool. Between April 2020 and January 2023, the altered software was downloaded an estimated 2.8 million times, according to Korean police.

Once installed, the malware manipulated cryptocurrency wallet addresses during transfer operations, redirecting funds to the attacker’s accounts. Investigators traced approximately 3,100 wallet addresses – domestic and overseas – involved in 8,400 illicit transactions, with total theft estimated at roughly 1.7 billion Korean won. In South Korea alone, eight victims lost about 16 million won.

The investigation began in August 2020 after a victim reported that one bitcoin – worth about 12 million won at the time – was transferred to an unintended address and lost.

Forensic analysis found that the victim’s computer was infected with malware that automatically replaced the intended recipient address with the hacker’s address during cryptocurrency transfers, a technique known as clipboard hijacking or “clipper malware.”

Security researchers warn that clipper malware is particularly effective in cryptocurrency theft because transactions are irreversible and address substitutions often go unnoticed. Kaspersky classifies KMSAuto as a hack tool or riskware, cautioning that pirated activation tools distributed through untrusted channels are frequently abused in malware campaigns.

Other Stories From This Week