Brazilian Citizens Warned of Alien Attack, D-Link Devices Found Vulnerable, and Other Cybersecurity News

We’ve compiled the most significant cybersecurity news from the past week.

• Canadian intelligence agencies have used a court order for the first time to remotely wipe citizens' devices.
• A macOS infostealer evaded AI analysis by injecting fake error messages.
• Europol dismantled the Amadey and StealC malware distribution networks.
• Hackers in Brazil sent out emergency alerts about an "alien attack."

Canadian Intelligence Agencies Use Court Order for Remote Device Wiping

The Canadian Security Intelligence Service obtained an unprecedented court order for remote intervention on infected servers, home routers, and IoT devices within the country. This was reported by Todayville.

The botnets operated using a classic relay scheme. By routing traffic through compromised devices, hackers disguised themselves as ordinary home users or internet service providers. This allowed them to scan critical infrastructure networks (particularly in the energy sector) and Canadian government and military agencies without detection.

The targets for the cleanup included servers based in Canada, small business and home routers, as well as smart devices such as doorbells, security cameras, TVs, and other Wi-Fi-enabled gadgets.

The Canadian federal court only declassified a public version of the ruling in mid-June 2026, although the order was issued over two years prior. It emphasized that users' personal data was not intercepted, and any accidentally collected information was immediately destroyed.

According to media reports, one of the main issues with such attacks lies in outdated equipment. Malware is often implanted in IoT devices with factory default passwords or in devices that are no longer supported.

This was confirmed by experts from the XLab team, who discovered a previously unknown botnet named AryStinger, which exploited outdated D-Link home routers models DIR-850L and DIR-818LW.

During the malicious campaign, hackers compromised over 4,000 routers, turning them into proxy servers for relaying malicious traffic and executing distributed tasks.

Researchers noted that in addition to using devices as launchpads for attacks, AryStinger can interfere with DNS settings, intercept victims' browser sessions, and secretly monitor and steal all incoming and outgoing network traffic. Approximately 48% of all infections occurred in South Korea, China, Sweden, Malaysia, and Singapore.

macOS Infostealer Evades AI Analysis with Fake Error Injection

Researchers from SentinelOne discovered new macOS malware called Gaslight. This infostealer specifically targets automated code analysis and reverse engineering tools powered by AI.

Analysts strongly associate the malware with North Korean hackers. In addition to standard backdoor functionality and data theft, the Gaslight file contains a special 3.5 KB loader that includes 38 fabricated system messages formatted using Markdown and templates.

Fake error messages. Source: SentinelOne.

These strings act as prompt injections for LLM models. The fake messages mimic developer logs, crash reports, memory overflow errors, and token expiration warnings. Their goal is to make the AI agent doubt the validity of its own analysis session.

Experts suggest that by providing this context to AI platforms, hackers hope that the language model will halt its operation, truncate the report, or refuse to continue analyzing the "damaged" sample, citing non-existent technical errors.

Europol Dismantles Amadey and StealC Malware Distribution Networks

Europol, in collaboration with law enforcement from several countries and Microsoft specialists, dismantled the SocGholish, Amadey, and StealC malware distribution networks.

The Amadey Trojan served as a downloader for gaining initial access to systems, after which the StealC infostealer was deployed. StealC specialized in stealing passwords, credit card information, and cryptocurrency wallet seed phrases.

Results of the coordinated operation included:

• 326 servers and 142 domains seized;
• crypto assets worth over $47 million identified and frozen;
• a database containing over 27 million stolen credentials confiscated;
• approximately 15,000 WordPress sites previously hacked for covert distribution of the SocGholish virus disguised as system updates cleaned.

In Hong Kong, police arrested members of the financial arm of the criminal syndicate. This was reported by the South China Morning Post.

The 69 detained individuals, aged between 18 and 60, were members of a group specializing in laundering proceeds from cross-border investment fraud using cryptocurrencies.

To cover their tracks and legitimize criminal funds, the perpetrators used an extensive network of fake accounts registered under straw persons (drops). Police estimate that the fraudsters laundered around $25.6 million.

Hackers in Brazil Send Emergency Alerts About "Alien Attack"

On the night of June 19-20, 2026, Brazil's national emergency alert system (Defesa Civil Alerta) was targeted in a cyberattack. This was reported by G1.

As a result of the infrastructure breach, residents in several states received "emergency alerts" accompanied by loud sirens on their smartphones — the alert even triggered on devices set to silent mode.

Instead of real notifications about natural disasters, the hackers sent out 10 messages with nonsensical and bizarre text. Most contained the word "misanthropy," included slang and typos, and in some regions, the alerts warned of an alleged "alien attack."

Source: G1.

Preliminary data from the Ministry of Integration and Regional Development indicates that the attack targeted the government’s Cell Broadcast alert mechanism.

The hackers likely compromised the accounts of Civil Defense staff. Gaining access to the platform, they remotely initiated a high-priority alert (Alerta Extremo), which allows bypassing system restrictions on sound and notifications on smartphones.

To stop the spam attack, authorities had to take extreme measures: at 1:30 AM, the alert system's servers were forcibly shut down. At the time of writing, the Defesa Civil Alerta platform had been partially restored, but the authority to send alerts was restricted solely to the National Center for Risk and Disaster Management.

ZachXBT Identifies Hacker Arrested in Poland

European law enforcement, with support from the FBI and the U.S. Department of Homeland Security, arrested four members of a hacking group. This was reported by the Central Bureau of Cybercrime in Poland (CBZC).

The suspects are believed to have conducted SIM swap attacks, stolen digital assets from cryptocurrency exchanges, and engaged in large-scale money laundering.

According to the investigation, the hackers used specialized software and social engineering methods to breach the IT infrastructure of companies collaborating with telecommunications operators. By accessing employees' emails, they illegally cloned victims' phone numbers.

This interception allowed the perpetrators to bypass two-factor authentication, take control of user accounts on cryptocurrency exchanges, and withdraw digital assets.

The stolen funds were laundered through a complex distributed financial network, including:

• personal bank accounts in Poland and abroad;
• international payment platforms;
• cryptocurrency wallets.

The total amount of laundered funds is estimated in the tens of millions of Polish zlotys. All four suspects face up to 25 years in prison.

Authorities have not disclosed the identities of the arrested individuals; however, on-chain researcher ZachXBT stated that one of them is Wojtek Kulisz — a Polish hacker specializing in social engineering, known online by the nickname Merry.

https://t.me/investigations/344

The analyst reached this conclusion by matching designer clothing and jewelry seen in police operation footage during the search with items Kulisz had previously showcased on his Instagram account.

Also on ForkLog:

• Polymarket to compensate users for losses after contractor attack.
• AI crime risk models were disabled in Bristol due to errors.
• The South Korean regulator fined Bithumb for data leak.
• The U.S. Justice Department seized infrastructure of the "crypto laundry" Huione Group.
• 16 million ADA were withdrawn from SecondFi wallets.
• In Thailand, illegal mining linked to $300 million money laundering was uncovered.
• Five Eyes warned of an increase in AI cyberattacks.
• The crypto industry set a record for the number of hacks.
• A hacker breached the L2 network Taiko.
• Axelar reported a bridge hack with Secret Network worth $4.67 million.
• MEV bot Jaredfromsubway.eth lost over $7.5 million.

What to Read This Weekend?

The gap between dollar and euro stablecoins is measured not in percentages — it’s a staggering 200-fold. In a new piece, ForkLog attempts to explore why the EU lost the blockchain race before it even began and how the situation can be improved.