Tesla, Duolingo, IRBM Hit in Wave of Data Breach Claims; Avalon Malware Emerges

Events tracked
146
Critical exposure
24

Summary

Today's intelligence reveals a broad, opportunistic threat landscape where high-profile consumer brands and government entities are equally targeted. The alleged breach of Tesla and Duolingo, alongside claims against Malaysia's tax authority and a Saudi medical group, indicates attackers are indiscriminately pursuing data with high resale or extortion value. Separately, the disclosure of the Avalon malware framework and a critical Linux kernel flaw demands immediate defensive attention, as both enable low-barrier, high-impact intrusions.

Today's developments

A significant cluster of alleged data breaches and leaks emerged today, spanning critical infrastructure, government, and consumer sectors. An actor known as CosmoCat claims to have breached Tesla (United States / Automotive), while Xzero alleges a breach of Duolingo (United States / Education). In the Middle East, actor p41ccz12a claims to have data from Dr. Sulaiman Al Habib Medical Group (Saudi Arabia / Hospital & Health Care), and actor dezetat alleges a leak from the Inland Revenue Board of Malaysia (IRBM) (Malaysia / Government Administration). Other notable claims include breaches of Singapore Land Authority (SLA) (Singapore / Real Estate), Tejarat Bank (Iran / Banking & Mortgage), and the Ministry of Education of Libya (Libya / Education). The HuntsvilleSOFNetwork (United States / Military Industry) was also allegedly breached by actor silentasdark.

  • An actor known as CosmoCat claims to have breached Tesla (United States / Automotive).
  • Actor Xzero alleges a breach of Duolingo (United States / Education).
  • Actor dezetat claims a leak from the Inland Revenue Board of Malaysia (IRBM) (Malaysia / Government Administration).
  • Actor p41ccz12a claims to have data from Dr. Sulaiman Al Habib Medical Group (Saudi Arabia / Hospital & Health Care).
  • Actor Brut_accs claims a leak of an "England Database" (United Kingdom / unspecified sector).
  • Actor fishka alleges a leak from Tejarat Bank (Iran / Banking & Mortgage).
  • Actor EvaN47 claims a breach of the Ministry of Education of Libya (Libya / Education).
  • Actor silentasdark claims a breach of HuntsvilleSOFNetwork (United States / Military Industry).
  • Actor moneyismoney claims a breach of the Kejaksaan Officer Database (Indonesia / Government Administration).

Industry researchers have also flagged several critical developments. Security firm runZero disclosed seven unpatched vulnerabilities in FatFs, a filesystem library embedded in millions of devices, from security cameras to industrial controllers. Separately, a new Linux kernel flaw dubbed Bad Epoll (CVE-2026-46242) allows unprivileged users to gain root access, affecting desktops, servers, and Android. A new modular malware framework called Avalon has been discovered, which bundles credential theft, lateral movement, and ransomware capabilities (CrownX) into a single multi-stage phishing chain. Additionally, North Korea-linked actors were found distributing malicious npm packages mimicking Rollup polyfills to steal developer secrets. The Medtronic data breach was confirmed to impact 3.8 million individuals, and an alleged Scattered Spider hacker was extradited to the US. Finally, Google and the FBI disrupted the NetNut residential proxy network, which powered millions of compromised devices for criminal and state-sponsored actors.

Threat landscape signals

Today's event data shows a pronounced concentration of activity from hacktivist and financially motivated actors. The Trenggalek Cyber Army (15 events) and B4dB0y (13 events) dominate the defacement and DDoS categories, primarily targeting India and Iran. The United States remains the top victim country (21 events), driven by a mix of ransomware, data breaches, and defacements. The Iran (12 events) and Saudi Arabia (8 events) clusters suggest sustained regional targeting, likely tied to geopolitical tensions. The emergence of the Avalon framework is particularly concerning, as it lowers the technical barrier for ransomware operations by combining multiple attack phases into a single tool. Defenders should prioritize patching for the Bad Epoll Linux flaw and the FatFs library vulnerabilities, as these provide reliable initial access vectors across a wide range of environments.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions