---
title: "Cybersecurity News Update, Week 44 of 2022 | DuoCircle"
description: "The digital world is gripped with alarming news and novel scams each week."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/"
---

Quick Answer

Week 44 of 2022 covered six items. Russian e-scooter rental Whoosh confirmed a breach after attackers offered 7.2 million customer records, including partial payment data and promo codes, on a hacking forum. An extortion campaign emailed website owners worldwide threatening reputation attacks and DDoS unless small Bitcoin payments were sent. Lookout researchers tied the Android malware families BadBazaar and MoonShine to Chinese state-aligned operators targeting Uyghur and Tibetan communities. The IceXLoader malware reached version 3.3.3, dropping in-memory payloads including stealers via phishing-delivered ZIP attachments. Sucuri tracked a long-running SEO poisoning campaign that compromised more than 15,000 WordPress sites to redirect visitors through fake Q&A pages and inflate attacker-owned domains in search results. Following a deadly explosion in Istiklal, Turkey temporarily restricted access to Twitter, Facebook, Instagram, and TikTok citing public order.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-44-of-2022%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Cybersecurity%20News%20Update%2C%20Week%2044%20of%202022&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-44-of-2022%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-44-of-2022%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-44-of-2022%2F&title=Cybersecurity%20News%20Update%2C%20Week%2044%20of%202022 "Share on Reddit") [ ](mailto:?subject=Cybersecurity%20News%20Update%2C%20Week%2044%20of%202022&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-44-of-2022%2F "Share via Email") 

![cybersecurity updates](https://media.mailhop.org/duocircle/images/2022/11/sender-policy-framework.jpg) 

The digital world is gripped with alarming news and novel scams each week. This week’s cybersecurity bulletin shares the top cybersecurity news covering **Russian data breaches**, extortion scams, fresh IceXLoader malware campaign, China’s spying activities, and [Google’s SEO poisoning](https://www.bleepingcomputer.com/news/security/15-000-sites-hacked-for-massive-google-seo-poisoning-campaign/). Let us take a look.

## Whoosh Data Breach, 7.2 Million Customer Records Sold

**Whoosh**, Russia’s scooter-sharing service suffered a [data breach](/email-security/top-data-breaches-of-the-year-and-lessons-for-2022/) where the hackers were selling a database containing 7.2 million customer records.

Whoosh operates in nearly 40 cities and has 75,000 scooters. The threat actor hacked Whoosh earlier, but the organization confirmed via the Russian media that its IT experts had handled the attack. However, the hacker listed the database for selling the **stolen customer records** on hacking forums, following which the organization admitted the data leak and [clarified](https://ria.ru/20221114/whoosh-1831302705.html) that they are working with law enforcement to halt the cyberattack.

_The stolen information includes promotional codes, partial user identification details such as email addresses, phone numbers, first names, and payment cards that could be used for financial harm._ The [threat actor](/email-security/threat-actors-abuse-linkedins-smart-links-in-evasive-email-phishing-attacks/) outlined that the database has partial card details of nearly 1,900,000 customers and over 3,000,000 promo codes that buyers could utilize.

The deal on the cybercriminal forum states that the threat actor will only sell the database to 5 individuals for 0.21490980 bitcoins or about $4200 each. The news showcases how the organization failed to protect its customers’ information and exposed 7.2 million individuals to **financial and personal harm**.

[![extortion scam](https://media.mailhop.org/duocircle/images/2022/11/email-smtp-service-4627.jpg)](https://media.mailhop.org/duocircle/images/2022/11/email-smtp-service-4627.jpg)

## Extortion Scam Targeting Global Websites

Global websites are being targeted by threat actors utilizing a new extortion scam. The threat actors claim to hack the website’s servers and **demand a $2500 ransom** as an incentive not to leak stolen data.

> **Team Montesano**, the hackers behind the [extortion scam](https://www.getcybersafe.gc.ca/en/blogs/extortion-phishing-scams-what-they-are-and-how-protect-yourself), send emails to the website owners with the subject, _“Your website, databases, and emails have been hacked.”_

This is a non-targeted email and demands ransoms from all individuals, including government websites, organizations, and government agencies. Citing that they will **leak the stolen data**, the threat actors also threaten to damage the website’s reputation and get it blacklisted if the victim does not succumb to the $2500 demand.

The payments are directed to two Bitcoin addresses, and people have already paid some ransom demands to these addresses. The **mass-email campaign** is just the threat actor making the most of the current security situation and panic due to the increase in [cybercrimes](https://www.kaspersky.co.in/resource-center/threats/what-is-cybercrime) and playing on the fear of website owners. The extortion campaign has been around since 2018 but has taken place recently.

The threat actors have supplied [bomb threats](https://www.bleepingcomputer.com/news/security/new-bomb-threat-email-scam-campaign-demanding-20k-in-bitcoin/), hitman contracts, ransomware threats, and [CIA investigations](https://www.bleepingcomputer.com/news/security/new-sextortion-email-uses-cia-investigation-as-scare-tactic/) too. You should not pay any attention to such threats, **mark the emails as spam** and delete them.

## Android Malware Linked to Chinese Spies

A spyware known as **“BadBazaar”** has been discovered on Android, which has been targeting China’s ethnic and religious minorities.

**The MalwareHunterTeam** has discovered BadBazaar, which follows the infrastructure of another spyware that was employed by the state-sponsored [cybercriminal group APT15](https://www.bleepingcomputer.com/news/microsoft/microsoft-seizes-sites-used-by-apt15-chinese-state-hackers/) to target the Uyghurs in 2020\. BadBazaar consists of over 110 applications that have been present since 2018 that are distributed via third-party stores and are **not found on Google Play**, Android’s official app store.

_The spyware collects a ton of information, including location, installed applications, call logs, contacts, SMS history, device, and WiFi information, and call recordings._ It can even take new photos and extract them. A new campaign with 50 applications delivered the newer, Moonshine version of the spyware that was promoted to **Uyghur-speaking Telegram** channels.

Researchers at Lookout have [discovered](https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine) that the Moonshine version is **Chinese** and written in simple Chinese. The incident showcases how China continues surveillance of minorities despite [increased pressure and outcry](https://www.amnesty.org/en/latest/news/2021/06/china-draconian-repression-of-muslims-in-xinjiang-amounts-to-crimes-against-humanity/) from human rights protection organizations.

## IceXLoader Malware Infecting Homes, Dropped Via Phishing

A new phishing campaign infects corporate and home devices with a fresh [IceXLoader malware](https://thehackernews.com/2022/11/new-icexloader-malware-loader-variant.html) version. The malware was discovered in the summer of 2022, and the latest version, 3.3.3, enhances its functionality with a **multi-stage delivery process**.

IceXLoader is aggressively promoted on cybercriminal forums and infects systems using a ZIP file which is [delivered](https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/) via [phishing emails](/content/phishing-prevention/phishing-email). The ZIP extractor creates a hidden folder to drop the second-stage executable that fetches a PNG from a **malicious URL** (Uniform Resource Locator) and converts it into the IceXLoader payload, which is stored as an obfuscated DLL (Dynamic Link Library) file. Once the payload decrypts, the malware checks for sandboxes and is finally loaded.

The malware is highly sophisticated and infiltrates _IP (Internet Protocol) address, username, machine name, Windows OS version, installed security, hardware information, and timestamps_ and creates a registry key for persistence. The malware also uses advanced evasion to bypass [Microsoft’s Antimalware Scan Interface](https://community.tanium.com/s/article/Windows-AntiMalware-Scan-Interface), a part of **Windows Defender**, and exfiltrated the data to the threat actor-controlled C2 (Command and Control) server.

Security researchers continuously inform affected organizations and homeowners, but new victims are added to the list daily. It is recommended to privy yourself with phishing tactics and avoid clicking on **malicious links** in emails.

## Google SEO Poisoning Campaign Compromises 15,000 Websites

A black hat SEO (Search Engine Optimization) campaign is underway by hackers who have already compromised nearly 15,000 websites. The threat actor redirects the site’s visitors to fake discussion forums.

The attacks were [observed by Sucuri](https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html), who noticed that the compromised websites contained 20,000 files as part of the **SEO attack campaign**. Most of the sites attacked by the scam are WordPress websites. Sucuri believes that the threat actor is conducting the campaign to generate indexed pages, so the authority and rank of the **Q&A discussion forum** increase on Google.

However, the campaign may also be priming the sites to **drop malware** in the future or for [phishing](/content/phishing-prevention/what-is-phishing). The hackers modify WordPress PHP files to inject redirects into them and drop their own PHP files using random legitimate file names, so they are not recognized quickly. These infected files contain malicious code that authenticates the user’s login status and redirects them to **“[https://ois.is/images/logo-6\\\[.\\\]png”](https://ois.is/images/logo-6%5C%5B.%5C%5Dpng%E2%80%9D)** if the user is not logged in.

[![2FA (Two Factor Authentication)](https://media.mailhop.org/duocircle/images/2022/11/smtp-email-server-5826.jpg)](https://media.mailhop.org/duocircle/images/2022/11/smtp-email-server-5826.jpg)

The threat actors utilize multiple domains and hide behind **Cloudflare servers** to mask their activities. Individuals are advised to steer clear of any such pages, and it would be best for website owners to upgrade all WordPress plugins and implement [2FA (Two Factor Authentication)](https://www.techtarget.com/searchsecurity/definition/two-factor-authentication#:~:text=Two%2Dfactor%20authentication%20%282FA%29%2C%20sometimes%20referred%20to%20as,resources%20the%20user%20can%20access.).

## Turkey Suspends Social Media Following Blast

Following a terrible blast in Istanbul, Turkey, the country’s authorities have restricted access to social media websites and applications such as _Instagram, Facebook, Twitter, Telegram, and YouTube_ and initiated a nationwide ban.

The news about the blast has been recognized as a **terrorist attack** that took eight innocent lives and left 81 injured. Turkish residents received a [broadcast ban](https://twitter.com/rtukkurumsal/status/1591796766399135744) to discourage the dissemination of the information circling the attack, following which the ISPs (Internet Service Providers) halted all access to the above-mentioned social media applications and platforms.

Whatsapp was not halted since it did not cause any significant disruption, but NetBlocks confirmed the other applications were restricted from Sunday afternoon. This is not the only news since Turkey’s President Erdoğan proposed a **“disinformation”** law to penalize social media users and journalists for **spreading fake information** or news, and those violating the rule could face up to 3 years in prison.

The law is in effect as of now, and access to **social media platforms** was given back gradually, as [tweeted](https://twitter.com/netblocks/status/1591987664428965889) by NetBlocks.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cybersecurity News Update, Week 44 of 2022","description":"The digital world is gripped with alarming news and novel scams each week.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/","datePublished":"2022-11-18T16:01:15.000Z","dateModified":"2025-05-28T11:59:17.000Z","dateCreated":"2022-11-18T16:01:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1221,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/11/sender-policy-framework.jpg","caption":"cybersecurity updates","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Cybersecurity News Update, Week 44 of 2022","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Cybersecurity News Update, Week 44 of 2022","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cybersecurity News Update, Week 44 of 2022","description":"The digital world is gripped with alarming news and novel scams each week.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/","datePublished":"2022-11-18T16:01:15.000Z","dateModified":"2025-05-28T11:59:17.000Z","dateCreated":"2022-11-18T16:01:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-44-of-2022/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1221,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/11/sender-policy-framework.jpg","caption":"cybersecurity updates","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```
