---
title: "Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15, 2024] | DuoCircle"
description: "Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/"
---

Quick Answer

Cybersecurity headlines for the week of July 15, 2024\. A threat actor known as 'emo' abused an unauthenticated Trello REST API to match a 500-million-address list against Trello accounts, posting 15,115,516 confirmed Trello user emails on the Breached forum. Atlassian confirmed it patched the API misuse in January. Infoblox reported the Revolver Rabbit gang has registered more than 500,000 domains using Registered Domain Generation Algorithms (RDGAs) to distribute the XLoader infostealer to Windows and Mac systems. Kaspersky began winding down US operations on July 20 following OFAC sanctions on 12 executives. AT&T disclosed that call and text metadata for around 109 million customers was stolen from its Snowflake account between April 14 and 25\. Trustwave detailed a Facebook ad campaign that hijacks business pages to push the SYS01 infostealer through fake Windows themes, game downloads, and software cracks.

Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News \[July 15, 2024\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/07/Trello-Emails-Leaked-Malware-Domains-Registered-Kaspersky-Exits-USA---Cybersecurity-News-July-15-2024.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2024%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Trello%20Emails%20Leaked%2C%20Malware%20Domains%20Registered%2C%20Kaspersky%20Exits%20USA%2C%20Cybersecurity%20News%20%5BJuly%2015%2C%202024%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2024%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2024%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2024%2F&title=Trello%20Emails%20Leaked%2C%20Malware%20Domains%20Registered%2C%20Kaspersky%20Exits%20USA%2C%20Cybersecurity%20News%20%5BJuly%2015%2C%202024%5D "Share on Reddit") [ ](mailto:?subject=Trello%20Emails%20Leaked%2C%20Malware%20Domains%20Registered%2C%20Kaspersky%20Exits%20USA%2C%20Cybersecurity%20News%20%5BJuly%2015%2C%202024%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2024%2F "Share via Email") 

![cybersecurity](https://media.mailhop.org/duocircle/images/2024/07/spf-permerror.jpg) 

Here’s an inside look at the latest [cybersecurity](/) news covering the 15 million emails stolen from Trello, Kaspersky’s exit from the U.S., what Revolver Rabbit is doing with 500,000 domains, the AT&T Data Breach, and **info-stealer malware** being distributed via Facebook ad campaigns. Let’s take a look!

## Email Addresses of 15 Million Trello Users Posted on Hacking Forum

A threat actor shared **over 15 million email addresses** of Trello users leveraging an [unsecured API](https://www.bleepingcomputer.com/news/security/over-400-000-life360-user-phone-numbers-leaked-via-unsecured-android-api/) (Application Programming Interface).

_Atlassian’s Trello is an online project management tool that is quite common among businesses for organizing tasks._ The threat actor goes by the name of “**emo**” and got access to 15,115,516 Trello members’ [email accounts](https://www.rd.com/article/what-can-someone-do-with-email-address-without-password/) back in January. The data in the profiles is public information, but the profiles also had **non-public email addresses**.

_Emo shared that he collected the data using an unsecured [REST API](https://www.ibm.com/topics/rest-apis), which allowed developers to query for public information of any profile by using their Trello ID, email, or username._ The threat actor **created a data set** with 500 million email addresses and fed it to the [API](/email-security/working-with-apis-successfully/) to find out if any of these were linked to Trello accounts, and got 15 million hits.

The **data is available for sale** on the Breached hacking forum and contains public Trello account information, email addresses, and full names that threat actors can use for targeted [phishing attacks](https://cointelegraph.com/news/hamster-kombat-phishing-scams-fake-airdrops) and [doxing](https://en.wikipedia.org/wiki/Doxing).

Atlassian [confirmed](https://www.bleepingcomputer.com/news/security/email-addresses-of-15-million-trello-users-leaked-on-hacking-forum/) that this API misuse was uncovered in January 2024, and they **made changes** to prevent unauthenticated users/services from making requests.

## Revolver Rabbit Gang Registers Half a Million Domains for Malware Attacks

The Revolver Rabbit cybercriminal gang has registered over 500,000 domain names for **targeting Windows and Mac systems** with [infostealers](https://www.darkreading.com/application-security/software-productivity-tools-hijacked-to-deliver-infostealers).

_The threat actors use [RDGAs (Registered Domain Generation Algorithms)](https://mysecuritymarketplace.com/reports/registered-dgas-the-prolific-new-menace-no-one-is-talking-about/) to register multiple domain names automatically **in an instant**._ These are similar to DGAs that threat actors commonly use for C2 (Command and Control) communication’s potential destinations. DGAs are usually embedded in malware strains and have only a handful of generated domains, but RGDAs remain with the threat actors and register all the domains that are available.

The news of Revolver Rabbit using RDGAs to buy half a million domains was discovered by researchers at Infoblox, who also shared that the threat actors are distributing the [XLoader info-stealer](https://www.scmagazine.com/brief/automated-execution-capabilities-gained-by-new-xloader-malware-variants) using these domains to execute malicious files and collect sensitive data. The actor’s preferred naming format for the domains involves one or more dictionary words hyphenated together, followed by a five-digit number. Some of these are:

- app-software-development-training-52686\[.\]bond
- security-surveillance-cameras-42345\[.\]bond
- bra-portable-air-conditioner-9o\[.\]bond

Infoblox has been [tracking](https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/) Revolver Rabbit for almost a year and the malicious operations of the gang are widespread, ranging from malware delivery, scams, **routing traffic to malicious locations**, and phishing and [spam campaigns](https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/).

[![spam campaigns](https://media.mailhop.org/duocircle/images/2024/07/SPF-record-checker-1.jpg)](https://media.mailhop.org/duocircle/images/2024/07/SPF-record-checker-1.jpg)

## Kaspersky Ends Its Operations in the United States

[Kaspersky](/data-privacy/us-bans-kaspersky-what-to-know/) Lab, one of the most significant Russian cybersecurity organizations and antivirus software providers, issued a statement that it would start **shutting down all operations** in the U.S.

The news is in response to the sanctions by the OFAC (U.S. Treasury Department’s Office of Foreign Assets Control) on 12 Kaspersky Lab executives. The decision was the result of a thorough investigation that showed the organization’s operations in the U.S. **posed a risk to national security** due to the Russian government’s cyber capabilities and sway over the organization’s operations.

The OFAC also outlined that any person or business using Kaspersky products and services assumes all [cybersecurity risks](https://www.embroker.com/blog/top-cybersecurity-threats/). The organization was **banned from selling software** and providing any antivirus updates on 29 September 2023.

The organization has shared that **it will gradually wind down** all operations in the U.S. and eliminate all US-based positions [starting 20 July 2024](https://www.zetter-zeroday.com/kaspersky-lab-closing-u-s-division-laying-off-workers-2/).

## AT&T Data Breach Reveals Call Logs of 109 Million Customers

In other news, AT&T has been warning users of a [massive data breach](https://www.bbc.com/news/articles/cw99ql0239wo) where the threat actors made away with the **call logs of nearly 109 million customers**.

The logs were stored on an **online database** on the organization’s [Snowflake account](https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials). They were stolen between 14 and 25 April this year, following which AT&T filed a Form 8-K with the SEC, sharing that the stolen information has call and text records of AT&T mobile users and that of the customers of its MVNOs (Mobile Virtual Network Operators).

The stolen data contains telephone numbers, count of interactions, aggregate call durations, and **cell site identification numbers**. The exposed data does not include any customer names or the content of the calls or texts, but the [stolen data](https://www.theverge.com/2024/7/14/24198294/att-paid-370000-ransom-hacked-customer-data-deleted-may) does expose identities that threat actors can use to correlate communications metadata and publicly available information.

_AT&T had **already notified law enforcement** and started working with cybersecurity experts when the attack occurred and got permission to delay the public notification twice by the U.S. DoJ._ AT&T hinted that law enforcement has already apprehended one individual regarding the case and that the organization is implementing top-notch [phishing protection](/email/phishing-protection) measures to block similar unauthorized attempts from happening in the future.

All the former and current customers affected by the [breach](https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/) will soon **receive notifications on what to do**. In the meantime, you can use the links provided in [AT&T’s notification](https://www.att.com/support/article/my-account/000102979) to check if your phone number data was exposed. You can also download and check what data was stolen.

## Facebook Ads for Windows Desktop Themes Distribute Info-Stealing Malware

Threat actors are using [Facebook business pages](https://sproutsocial.com/glossary/facebook-business-page/) and ads to infect innocent victims with the **SYS01 password-stealing malware**.

The campaign was [discovered](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/facebook-malvertising-epidemic-unraveling-a-persistent-threat-sys01/) by researchers at Trustwave, who shared that the threat actors **promote Windows themes**, free game downloads, and [software activation cracks](https://www.theverge.com/2023/5/27/23739789/microsoft-windows-xp-activation-offline-crack) for applications. They are promoted via business pages, where the threat actors hijack existing pages and assume the business identity, tricking the pre-existing user base.

_The threat actors take out thousands of ads for different campaigns, and when a user clicks on one, they are taken to web pages designed as download pages of the ad’s promoted content._ If you click on the download buttons, the browser downloads a ZIP file archive that contains the [SYS01 info-stealer](https://www.pcrisk.com/removal-guides/26219-sys01-stealer). The malware is **extremely capable** and contains a ton of executables, DLLs, and PowerShell and PHP scripts to help threat actors steal data and [malware](/resources/malware-and-its-defense-mechanism) from infected systems.

[![Data Breach Statistics](https://media.mailhop.org/duocircle/images/2024/07/Office-365-migration.jpg)](https://media.mailhop.org/duocircle/images/2024/07/Office-365-migration.jpg)

The info-stealing malware runs in a virtual environment, helping it **evade detection** and establish persistence within the system, making away with browser cookies, browser credentials, and crypto wallets. The stolen data is stored in a folder temporarily before being sent to the threat actors, who use the stolen credentials to hijack more accounts for [malvertising](https://www.scmagazine.com/brief/malvertising-campaign-exploits-winscp-putty-for-ransomware).

The campaign is also spreading to other [social media](/email-security/simple-social-media-security-practices-your-business-should-adopt/) like **LinkedIn and YouTube**. _The best way to protect yourselves is to ensure you have robust [malware protection](/resources/sophos-alternatives), steer clear of such advertisements, and not download anything from **untrusted sources**_.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15, 2024]","description":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/","datePublished":"2024-07-22T13:52:41.000Z","dateModified":"2025-08-21T18:21:25.000Z","dateCreated":"2024-07-22T13:52:41.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1136,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-permerror.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15, 2024]","description":"Trello Emails Leaked, Malware Domains Registered, Kaspersky Exits USA, Cybersecurity News [July 15.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/","datePublished":"2024-07-22T13:52:41.000Z","dateModified":"2025-08-21T18:21:25.000Z","dateCreated":"2024-07-22T13:52:41.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1136,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-permerror.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```