Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Twilight Cyber operates within the innermost circles of the dark web, providing near real-time insights into cybercriminal tactics, infostealer malware activity, and stolen credential trends. Our advanced scanning approach uncovers emerging threats as they happen, helping organizations stay ahead of potential breaches.

In February 2025, we analyzed the latest trends across stolen credentials, identifying key targets, prevalent malware types, and the regions and industries most impacted.

Number of New Stolen Credentials in February 2025

Total infected machines: 178,268
Daily average: 6,366

With a total of 178,268 infected machines in February alone, organizations are urged to proactively scan their assets for potential breaches.

Number of New Stolen Credentials in February 2025

• Total infected machines: 178,268
• Daily average: 6,366

The 178,268 compromised machines recorded in February reflect the persistent spread of infostealer malware. This points to a broader trend of attackers refining their methods to harvest credentials at scale, making it critical for both individuals and organizations to review their security practices.

Top Compromised Web Domains

• google.com
• facebook.com
• live.com
• instagram.com
• netflix.com
• discord.com
• roblox.com
• amazon.com
• steampowered.com
• microsoftonline.com
• twitter.com
• paypal.com
• apple.com
• spotify.com

Most of the stolen credentials came from users logging into popular web services hosted by Google, Facebook, Microsoft, and others. Gaming platforms like Roblox and Steam were also highly targeted, likely to obtain in-game assets and digital goods.

Top Compromised Applications

• com.facebook.katana (Facebook)
• com.instagram.android (Instagram)
• com.netflix.mediaclient (Netflix)
• com.pinterest (Pinterest)
• com.roblox.client (Roblox)

Stolen credentials linked to Android mobile applications are often the result of infostealer malware installed on compromised PCs, which harvest login data from these widely-used apps.

Top 3 Infostealer Malware Types Used

• LummaC2 – 170,049 infections
• Stealc – 5,801 infections
• Vidar – 2,418 infections

LummaC2 overwhelmingly dominates the landscape, accounting for over 95% of infections. This suggests that LummaC2 is the preferred tool for cybercriminals due to its reliability and effectiveness in harvesting credentials.

Meanwhile, Stealc and Vidar remain secondary threats, while RedLine infections have all but disappeared following the recent takedown by authorities.

Company-Specific Findings

Our research also revealed some interesting data points regarding the spread of infections across the public and private sectors.

Industry-Wide Distribution of Infections

• Corporate – 7,620 infections
• Education – 1,651 infections
• Investor – 1,308 infections
• Government – 993 infections
• Non-Profit – 552 infections

The corporate sector experienced the highest infections (7,620 cases), reinforcing that businesses remain a primary target. The education sector also saw significant compromise, likely due to students and faculty using less-secured devices.

The presence of government and investor-related accounts in the data is particularly concerning, as breaches in these sectors can have serious security and financial implications.

Companies in These Countries Were Most Affected

• United States – 2,335 infections
• India – 1,809 infections
• Brazil – 1,584 infections
• Poland – 1,225 infections
• Germany – 1,124 infections
• United Kingdom – 1,142 infections
• Russia – 898 infections
• France – 818 infections
• Canada – 708 infections
• Mexico – 679 infections

Note: This data only accounts for company-specific infections.

Cybercriminals appear to be most interested in credentials of U.S.-based organizations, likely due to the higher resale value of such credentials on the Dark Web.

➡️ Try our free live scan now to see if your organization has been infected.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox