A healthcare IT breach exposes 3.4 million patient records, China-linked hackers deploy three novel implants against South American telecom infrastructure, Wikipedia suffers a self-propagating JavaScript worm, and a multi-stage malware campaign delivers triple RAT payloads via fileless execution. Here's everything you need to know today.
TriZetto Provider Solutions, a Cognizant-owned healthcare IT company, has disclosed a data breach affecting 3,433,965 individuals. Unauthorized access persisted for nearly a year — from November 2024 to October 2025.
The breach targeted a web portal used for insurance eligibility verification. The compromised data includes:
| Date | Event |
|---|---|
| November 19, 2024 | Unauthorized access begins |
| October 2, 2025 | Suspicious activity detected |
| December 9, 2025 | Affected providers notified |
| February 2026 | Customer notifications begin |
| March 6, 2026 | Maine AG filing confirms 3.4M affected |
The 11-month dwell time before detection is alarming but unfortunately common in healthcare breaches. TriZetto is offering affected individuals 12 months of free credit monitoring through Kroll, but the exposure of SSNs and Medicare identifiers creates long-term identity theft risk. No ransomware group has claimed responsibility.
Cisco Talos has identified a China-linked APT group designated UAT-9244 systematically compromising telecommunications providers in South America using three previously undocumented malware families.
| Implant | Target Platform | Capabilities |
|---|---|---|
| TernDoor | Windows | DLL side-loading via wsprint.exe, process manipulation via embedded kernel driver, C2 communication |
| PeerTime (angrypeer) | Linux | Backdoor access, file operations, system reconnaissance |
| BruteEntry | Network edge devices | Edge device persistence, network traffic interception |
UAT-9244 is closely associated with FamousSparrow, which shares tactical overlaps with Salt Typhoon — the China-nexus group notorious for targeting telecom providers globally. TernDoor is a variant of CrowDoor/SparrowDoor, featuring new command codes and an embedded Windows driver for process control.
Key technical details:
-u switch for complete artifact removalTelecom providers are high-value espionage targets — controlling communications infrastructure means potential access to call data records, SMS content, and internet traffic of entire populations. This campaign demonstrates China's continued strategic interest in Latin American digital infrastructure.
A self-propagating JavaScript worm spread across Wikipedia's Meta-Wiki, modifying user scripts and vandalizing pages before engineers could contain it.
The attack exploited Wikipedia's JavaScript customization features — specifically the MediaWiki:Common.js and User:<username>/common.js scripts that execute in editors' browsers:
User:Ololoshka562/test.js) was uploaded to Russian Wikipedia, reportedly in March 2024common.js with a loader for the malicious scriptMediaWiki:Common.js was modified, affecting all editorsWikimedia engineers temporarily restricted editing across all projects while they investigated and reverted changes. The incident highlights how user-customizable JavaScript in collaborative platforms can become an attack vector — particularly when privileged accounts execute untrusted code.
Any platform allowing user-uploaded JavaScript faces similar risks. Organizations should implement Content Security Policy (CSP) headers, restrict script execution contexts, and ensure privileged accounts have additional safeguards against running untrusted code.
Securonix researchers have uncovered a sophisticated malware campaign codenamed VOID#GEIST that delivers XWorm, AsyncRAT, and Xeno RAT through a completely fileless execution chain.
| Stage | Technique | Purpose |
|---|---|---|
| 1 | Obfuscated batch script via phishing | Initial access, decoy PDF display |
| 2 | Second batch script deployment | Orchestration layer |
| 3 | Legitimate Python runtime staging | Portability, trusted binary abuse |
| 4 | Encrypted shellcode decryption | Payload preparation |
| 5 | Early Bird APC injection into explorer.exe | In-memory RAT execution |
A Ghanaian national has pleaded guilty to participating in a massive fraud ring that stole over $100 million from victims across the United States through business email compromise (BEC) attacks and romance scams.
The case highlights the industrial scale of BEC operations and their continued effectiveness despite years of awareness campaigns. Key takeaways:
Microsoft's Bing AI-enhanced search promoted fake OpenClaw GitHub repositories that instructed users to run commands deploying information stealers and proxy malware.
This incident is particularly concerning because it demonstrates how AI-generated search summaries can be manipulated to promote malicious content with an air of authority:
Always verify software repositories through official project websites, not search results. Check repository creation dates, star counts, contributor history, and verify URLs match official documentation before running any installation commands.
| Threat | Actor | Severity | Action Required |
|---|---|---|---|
| TriZetto healthcare breach | Unknown | 🔴 Critical | Audit healthcare vendor security, monitor for identity theft |
| UAT-9244 telecom attacks | China-linked | 🔴 Critical | Patch servers, hunt for TernDoor/PeerTime/BruteEntry |
| Wikipedia JS worm | Unknown | 🟠 High | Implement CSP, restrict privileged script execution |
| VOID#GEIST triple RAT | Cybercriminals | 🔴 Critical | Monitor for fileless attacks, block TryCloudflare abuse |
| $100M BEC fraud ring | Organized crime | 🟠 High | Reinforce BEC awareness and payment verification |
| Fake repos via Bing AI | Cybercriminals | 🟠 High | Verify software sources, educate developers |
KENSAI's automated security scanning detects vulnerabilities, misconfigurations, and indicators of compromise across your entire attack surface — before attackers exploit them.
Start Free Security ScanStay vigilant. Stay protected.
🗡️ KENSAI Threat Intelligence Team