Breaches

Nova Ransomware Group Claims Attack on KPMG, Threatens to Leak 500GB of Data

Zero Day Wire

23 Jan 2026 — 1 min read

The Nova ransomware group has claimed responsibility for an attack against KPMG, one of the Big Four professional services firms, threatening to release 500GB of stolen data if ransom demands are not met.

The listing appeared on Nova's dark web leak site on January 23, 2026, with a 10-day countdown timer. The group claims to have exfiltrated business services data and has provided samples as proof of compromise. A tree structure of the allegedly stolen files is also available for download.

KPMG provides audit, tax, and advisory services to many of the world's largest organizations. KPMG LLP North America operates as the independent U.S. member firm of KPMG International Cooperative.

Nova Ransomware Background

Nova, formerly known as RALord, is a fast-growing ransomware-as-a-service operation that emerged in late 2024. The group employs double-extortion tactics—encrypting victim systems while exfiltrating data to pressure payment.

The operation heavily targets the IT, technology, manufacturing, and healthcare sectors, with previous victims in the UAE, France, Singapore, and the United States.

KPMG has not publicly confirmed the incident. This story will be updated if additional information becomes available.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

Read more

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse