✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Non-Profit/Volunteering
Breach intelligence, attack campaigns, and threat reports targeting the Non-Profit/Volunteering sector.
Explore Other Sectors
Non-Profit/Volunteering Threat Reports
UN World Food Programme Data Breach: A Wake-Up Call for Humanitarian Cybersecurity
In May 2026, the United Nations' World Food Programme (WFP) experienced a significant data breach when unauthorized actors accessed its self-registration application for Palestine. This breach exposed sensitive personal information—including names, ID numbers, mobile numbers, and location data—of approximately 600,000 Palestinian households in Gaza. The WFP promptly suspended the affected platform to implement security enhancements and initiated a comprehensive investigation into the incident. This incident underscores the critical importance of robust cybersecurity measures for humanitarian organizations handling sensitive beneficiary data. The exposure of such information not only compromises individual privacy but also heightens the risk of identity theft and targeted attacks, emphasizing the need for continuous vigilance and proactive security protocols in the humanitarian sector.
3 weeks ago
Kill Chain
Critical Drupal Core SQL Injection Vulnerability (CVE-2026-9082) Actively Exploited
In May 2026, a critical SQL injection vulnerability, identified as CVE-2026-9082, was discovered in Drupal Core's database abstraction API. This flaw specifically affects sites utilizing PostgreSQL databases, allowing unauthenticated attackers to execute arbitrary SQL commands. Successful exploitation can lead to information disclosure, privilege escalation, and potentially remote code execution. Drupal released patches for affected versions, including 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. ([drupal.org](https://www.drupal.org/sa-core-2026-004?utm_source=openai)) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026, indicating active exploitation in the wild. Organizations are urged to apply the necessary patches promptly to mitigate potential risks. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-9082?utm_source=openai))
1 month ago
Kill Chain
DigitalMint Negotiator's Betrayal: A Stark Warning for Cybersecurity
In April 2026, Angelo Martino, a former ransomware negotiator at DigitalMint, pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware group to extort five U.S. companies. Martino exploited his position by sharing confidential information, including victims' insurance policy limits and negotiation strategies, with the attackers. This collaboration led to ransom payments totaling approximately $75.3 million from sectors such as nonprofit, hospitality, financial services, retail, and medical industries. Martino faces up to 20 years in federal prison, with sentencing scheduled for July 9, 2026. This case underscores the critical need for stringent vetting and oversight of cybersecurity professionals, as insider threats can significantly amplify the impact of cyberattacks. The incident also highlights the evolving tactics of ransomware groups, emphasizing the importance of comprehensive security measures and employee integrity in safeguarding organizational assets.
2 months ago
Kill Chain
LucidRook Malware Targets Taiwanese NGOs and Universities in 2025
In October 2025, the threat actor group UAT-10362 launched spear-phishing campaigns targeting non-governmental organizations (NGOs) and universities in Taiwan. These attacks utilized a newly identified Lua-based malware named 'LucidRook,' which was delivered through malicious LNK and EXE files disguised as legitimate software. Once executed, LucidRook embedded a Lua interpreter within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads, enabling the attackers to update functionality without modifying the core malware. The malware performed system reconnaissance, collecting information such as user and computer names, installed applications, and running processes, which was then encrypted and exfiltrated via FTP to attacker-controlled infrastructure. ([blog.talosintelligence.com](https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/?utm_source=openai)) This incident underscores the evolving sophistication of cyber threats, particularly those targeting educational and non-governmental sectors. The use of modular malware like LucidRook, capable of dynamic updates and extensive obfuscation, highlights the need for organizations to enhance their cybersecurity measures, including employee training on phishing tactics and the implementation of advanced threat detection systems.
2 months ago
Kill Chain
UAT-10362's LucidRook Malware Targets Taiwanese NGOs in Spear-Phishing Attacks
In October 2025, a previously undocumented threat actor, UAT-10362, launched spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and universities. The attackers distributed a new Lua-based malware named LucidRook, which embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The malware exhibits region-specific anti-analysis checks, activating only in Traditional Chinese language environments associated with Taiwan. The campaigns utilized malicious LNK and EXE files disguised as antivirus software, leveraging compromised FTP servers and out-of-band application security testing (OAST) services for command-and-control infrastructure. ([blog.talosintelligence.com](https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/?utm_source=openai)) This incident underscores the evolving sophistication of cyber threats targeting specific regions and sectors. The use of multi-language modular design, layered anti-analysis features, and reliance on compromised or public infrastructure indicates a high level of operational maturity by UAT-10362. Organizations, especially those in Taiwan, should enhance their cybersecurity measures to detect and mitigate such advanced persistent threats.
2 months ago
Kill Chain
DigitalMint Insider Ransomware Scheme Unveiled
In 2023, Angelo John Martino III, a ransomware negotiator at DigitalMint, exploited his position to orchestrate at least 10 ransomware attacks, extorting over $75 million. Martino, along with co-conspirators, infiltrated networks, encrypted data, and demanded ransoms, even negotiating with victims he had attacked. This breach highlights the severe risks posed by insider threats in cybersecurity firms. The incident underscores the critical need for robust internal controls and vigilant monitoring to prevent such breaches, especially as ransomware tactics evolve and insider threats become more sophisticated.
3 months ago
Kill Chain
Velvet Tempest's Use of 'ClickFix' in Recent Cyber Intrusion
Between February 3 and 16, 2026, the threat group Velvet Tempest (also known as DEV-0504) conducted a sophisticated cyber intrusion targeting a U.S. non-profit organization with over 3,000 endpoints and 2,500 users. Utilizing a malvertising campaign, they employed the 'ClickFix' technique, deceiving victims into executing obfuscated commands via the Windows Run dialog. This led to the deployment of DonutLoader and the CastleRAT backdoor, facilitating credential harvesting and extensive reconnaissance. Notably, while Velvet Tempest is known for deploying various ransomware strains, including Ryuk, REvil, and Conti, the Termite ransomware was not executed in this particular incident. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/?utm_source=openai)) This incident underscores the evolving tactics of ransomware affiliates, highlighting the use of social engineering techniques like 'ClickFix' to gain initial access. The absence of immediate ransomware deployment suggests a strategic shift towards prolonged network infiltration and data exfiltration, posing significant challenges for detection and mitigation.
3 months ago
Kill Chain
Lazarus Group's Medusa Ransomware Attacks on Healthcare in 2026
In early 2026, the North Korean state-sponsored Lazarus Group initiated ransomware attacks using the Medusa ransomware variant, targeting healthcare organizations in the Middle East and the United States. These attacks involved data encryption and exfiltration, with ransom demands averaging $260,000. The group employed tools such as RP_Proxy, Mimikatz, and BLINDINGCAN to facilitate their operations. The healthcare sector's critical role and sensitive data made it a prime target, leading to significant operational disruptions and potential patient data breaches. This incident underscores a concerning trend of state-sponsored actors leveraging ransomware-as-a-service platforms to conduct financially motivated attacks. The collaboration between nation-state groups and established cybercriminal infrastructures highlights the evolving threat landscape, necessitating enhanced cybersecurity measures and international cooperation to mitigate such risks.
4 months ago
Kill Chain
CRESCENTHARVEST Malware Campaign Exploits Iran Protests to Target Supporters
In early January 2026, a cyberespionage campaign named CRESCENTHARVEST emerged, targeting individuals supporting Iran's anti-government protests. Attackers distributed malicious archive files containing authentic protest media and Farsi-language reports, alongside disguised Windows shortcut (.LNK) files. When executed, these shortcuts deployed a remote access trojan (RAT) capable of executing commands, logging keystrokes, and exfiltrating sensitive data. The campaign's sophistication suggests alignment with Iranian state interests, aiming for long-term surveillance and information theft. This incident underscores the increasing use of geopolitical events as lures in cyberattacks, highlighting the need for heightened vigilance among activists, journalists, and dissidents. The campaign's reliance on social engineering and legitimate-looking media emphasizes the importance of verifying the authenticity of received files, especially those related to sensitive political contexts.
4 months ago
Kill Chain
Polish Authorities Arrest Phobos Ransomware Affiliate in 2026
In February 2026, Polish authorities arrested a 47-year-old man in the Małopolska region, suspected of affiliating with the Phobos ransomware group. The arrest was part of Operation Aether, a Europol-coordinated effort targeting Phobos affiliates. During the raid, officials seized computers and mobile phones containing stolen credentials, credit card numbers, and server IP addresses. The suspect allegedly used encrypted messaging to communicate with Phobos members and faces charges under Poland's Criminal Code for creating and distributing software designed to illegally access computer systems. ([helpnetsecurity.com](https://www.helpnetsecurity.com/2026/02/17/phobos-ransomware-affiliate-arrested-in-poland/?utm_source=openai)) This arrest underscores the persistent threat posed by ransomware groups like Phobos, which have targeted over 1,000 victims globally, including critical infrastructure sectors such as healthcare and education. The incident highlights the importance of international collaboration in combating cybercrime and the need for organizations to bolster their cybersecurity defenses against evolving ransomware tactics. ([justice.gov](https://www.justice.gov/opa/pr/phobos-ransomware-affiliates-arrested-coordinated-international-disruption?utm_source=openai))
4 months ago
Kill Chain
Serbian Authorities' Misuse of Cellebrite Tools in 2024: A Wake-Up Call for Digital Privacy
In December 2024, Amnesty International reported that Serbian police and intelligence agencies misused Cellebrite's digital forensic tools to unlawfully extract data from mobile devices belonging to journalists and activists. The authorities employed these tools to unlock devices without consent, facilitating the installation of spyware like NoviSpy during detentions and interrogations. This surveillance campaign targeted individuals critical of government policies, leading to significant privacy violations and suppression of civil society. ([amnesty.org](https://www.amnesty.org/en/latest/news/2024/12/serbia-authorities-using-spyware-and-cellebrite-forensic-extraction-tools-to-hack-journalists-and-activists/?utm_source=openai)) The incident underscores the potential for abuse of digital forensic technologies when deployed without stringent oversight. It highlights the urgent need for robust legal frameworks and ethical guidelines to prevent the misuse of such tools against civil society and to protect fundamental human rights.
4 months ago
Kill Chain
RedKitten 2026: Iranian State-Sponsored Malware Targets Human Rights NGOs
In January 2026, a cyber espionage campaign named RedKitten targeted non-governmental organizations and individuals documenting human rights abuses in Iran. The attackers employed AI-generated malware, delivered through malicious Excel files disguised as casualty records from recent protests. Upon enabling macros, the malware, dubbed SloppyMIO, was deployed, utilizing GitHub and Google Drive for configuration and Telegram for command-and-control. This operation is attributed to Iranian state-sponsored actors aiming to infiltrate and disrupt human rights documentation efforts. ([harfanglab.io](https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/?utm_source=openai)) This incident underscores the escalating use of artificial intelligence in cyber attacks, enabling rapid development and deployment of sophisticated malware. The targeting of human rights organizations highlights the increasing risks faced by civil society groups, emphasizing the need for enhanced cybersecurity measures and vigilance against state-sponsored cyber threats.
4 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports