ケーススタディ

Fake CEO Phishing Message Unravels Hong Kong Charity's Hidden Cyber Risks

A gift card scam that hid malware, leaked credentials, and a subdomain open to hijacking.

A convincing CEO impersonation led to gift card fraud at a Hong Kong charity. Blackpanda's investigation confirmed the scam — and uncovered malware on an abandoned website, a subdomain vulnerable to hijacking, leaked staff credentials on criminal marketplaces, and a suspicious foreign login that no one at the organisation knew about.

The Phantom Ledger: A Central Hong Kong Business Association Hijacked Internationally Through a Senior Executive's Inbox

One compromised account, three countries, zero exfiltration — a forensics race against time in Central HK.

When a Business Association based in Central, Hong Kong, discovered a senior finance account was being accessed from international hubs, the risk to its reputation was immediate. Blackpanda's incident responders moved with operational force to contain the threat and verify the safety of sensitive records.

Akira Ransomware Locks Up a Hong Kong Maritime Investment Group After Criminals Walk In Through a VPN Account With No MFA

One stolen VPN login led to Akira encrypting core servers — see how Blackpanda traced the Veeam pivot and contained it.

One “valid login” was enough. Blackpanda traced the attacker’s route from SSL VPN access to Veeam credential theft and ransomware execution across core servers.

Email Phishers Impersonate Hong Kong Precision Manufacturing Firm, Tricking Customer Into Making Fraudulent Payments

Lookalike domain. Forged bank-letter PDFs. Evidence-led validation pulled no tenant compromise.

A Hong Kong precision manufacturing firm was impersonated via a lookalike email domain. Blackpanda traced Zoho-sent spoofing emails and fraud PDFs, including bank letters.

UNC5174 Hackers Whitelisted Wallets and Drained an estimated USD 3.3M in Crypto From a Hong Kong Securities Firm Through a Hijacked AWS API

Wallets quietly whitelisted. An AWS API facilitated stealing. Blackpanda cut off the keys and blocked re-entry.

A Hong Kong securities firm spotted unauthorised crypto withdrawals via an AWS API. Blackpanda traced Vshell backdoors, contained keys, and blocked re-entry.

Email Phishers Offer Fake Bonuses to Employees of Sustainability Company to Steal Login Credentials and Issue Fraudulent Invoices

Bonus QR-code phish. Mailboxes breached. Invoice fraud blocked.

A “bonus” email led staff to a QR-code login trap and criminals into Microsoft 365 mailboxes. Blackpanda traced the intrusion despite missing audit logs and removed hidden mailbox manipulation. A practical hardening plan followed — spanning MFA, Conditional Access, and finance-grade payment verification.

Deleted Shared Drive Cripples Singapore Print Firm as It Suffers Second Ransomware Attack in Two Months

Encrypted once, sabotaged again. Blackpanda traced the VPN break‑in and mapped controls, keeping attackers from coming back.

LockBit 5.0 broke into a Singapore print services firm via weak VPN credentials, encrypted a file server, then wiped NAS volumes. Blackpanda traced the path.

Australian Insurance Company Ransacked by LockBit Ransomware that Blocked Several Business-Critical Systems

Unattended AnyDesk password. Staged archive upload. LockBit 3.0 encrypting business-critical systems.

LockBit 3.0 struck an Australian reinsurer after unattended AnyDesk access. Blackpanda traced the break‑in, assessed data‑theft risk, and guided recovery.

ClickFix Hits North Asian Web Services Platform; Contained by Blackpanda

A WordPress admin takeover turned a trusted site into a malware delivery channel — Blackpanda confirmed scope and shut it down.

A North Asian web services platform discovered its South Korea WordPress site was compromised via leaked admin credentials. Blackpanda confirmed no data theft, removed malicious scripts, and hardened web controls.

Akira Intrusion Hits Asia‑Pacific Manufacturer; Encryption Avoided

A SonicWall VPN intrusion signaled Akira ransomware — Blackpanda contained it to two domain controllers before encryption.

An Asia‑Pacific industrial manufacturing company spotted credential dumping on a domain controller after SonicWall SSL‑VPN access was abused. Blackpanda contained the attacker to two systems and prevented Akira deployment.

Phobos Ransomware Hits Design Firm; Blackpanda Responds

Brute‑force logins. Phobos ransomware. Multi‑site disruption contained.

A regional design firm faced a multi‑site Phobos ransomware outbreak that hit critical servers and disabled endpoint protection. Blackpanda incident responders were activated through the customer’s IR‑1 subscription to contain spread and drive a hardening roadmap.

Regional Services Platform’s Google Workspace Hijacked; Blackpanda IR-1 Shuts It Down

Foreign logins. A hijacked Android device. Google Workspace ads and emails under attacker control.

A regional services platform’s Google Workspace account was hijacked to run rogue ads and delete emails. See how Blackpanda’s incident responders, activated through an IR-1 subscription, traced the intrusion, cut off access, and strengthened account security.

Qilin Ransomware Cripples ESXi; Blackpanda DFIR Fights Back

Containing a hypervisor-level Qilin ransomware attack on VMware ESXi.

See how Blackpanda contained a hypervisor-level Qilin ransomware attack on VMware ESXi, clarified data-theft risk, and guided a safer, faster recovery.

MFA Bypass Attack at Singapore IT Services Firm — Blackpanda IR-1 Containment of AiTM Credential Theft

Credentials stolen. MFA bypassed. And an attacker hiding behind a Cloudflare-masked phishing flow.

A Singapore IT services firm was compromised through an adversary-in-the-middle phishing attack that harvested credentials and bypassed MFA. The attacker accessed a corporate mailbox, registered a malicious Azure AD application, and launched a phishing campaign to over 500 recipients. Blackpanda IR-1 responders contained the incident and guided remediation.

Server Weaknesses Exposed at Regional Entertainment Firm — Blackpanda Containment in 48 Hours

A missing server. Suspicious administrator logins. Unauthorized virtual machines in the shadows.

A regional entertainment company discovered unauthorized virtual machines, lateral movement, and suspicious RDP activity across its servers. Blackpanda IR-1 responders contained the threat, reconstructed attacker activity, and guided recovery despite missing evidence and reformatted systems.

Exchange Server Exploited: Hackers Breach Hong Kong Investment Firm — Blackpanda Containment in 24 Hours

A vulnerable Exchange server. Persistent webshells. Full Active Directory compromise in motion.

A Hong Kong investment firm suffered a full Active Directory compromise through unpatched Microsoft Exchange ProxyShell vulnerabilities. Blackpanda IR-1 responders contained the attack, traced the threat actor, and restored control within 24 hours—proving the value of always-on cyber first response.

Hackers Hijack Hong Kong Law Firm’s Website — Blackpanda Responds Within Hours

Search results altered. Webshells deployed. And an attacker hiding behind layers of PHPscripts.

A Hong Kong law firm’s website was hijacked through a WordPress plugin exploit, defacing search results and planting backdoors. Blackpanda’s IR-1 responders traced and removed the threat within hours, preventing deeper compromise.

Singapore Retail Cyber Fraud Stopped by Blackpanda IR-1

Compromised credentials. Fraudulent accounts. Unauthorized redemptions.

See how a Singapore Retail Group stopped a gift card fraud attack with Blackpanda’s IR-1. Rapid incident response contained losses, uncovered vulnerabilities, and delivered long-term resilience.

Threat Signals Identified & Contained at a Hong Kong IoT Service Provider

RDP abuse. PowerShell misuse. No breach — but warning signs everywhere.

Hong Kong IoT provider faced RDP abuse & PowerShell misuse. Blackpanda ODIR contained risk. Learn how IR-1 cuts costs 12x and speeds response.

Inside the Ransomware Containment at a Singapore Commodity Trading Firm

Encrypted workstation. Ransom note found. Threat neutralized in time.

How Blackpanda contained a Phobos ransomware attack at a Singapore firm — and how IR-1 would have saved 9x in costs.

個人病院がビジネスメール詐欺の被害に

2023年3月、東南アジアの個人病院がビジネスメール詐欺(BEC)攻撃の被害を受けました。この病院では、診療や収益への深刻な影響が長く続きました。

小売企業でのデータ侵害

2022年11月、東南アジアを拠点とする、地域で定評のある小売企業が重大なデータ漏えいの被害を受け、顧客情報を侵害される結果となりました。

デザイナーズホテルにランサムウェア攻撃

2023年1月、東南アジアのデザイナーズホテルがランサムウェア攻撃を受け、世界各国から訪れた宿泊客の機密情報を失う結果となりました。

私立学校を狙ったランサムウェア攻撃

2023年1月初め、幼稚園から高校までを運営する私立学校が、ランサムウェア攻撃の被害を受けました。この学校は質の高い教育で知られ、地元はもちろん、国外の生徒にも人気があります。攻撃はランサムウェア集団Mazeによるもので、非常に巧妙なものでした。被害を受けた学校は、システムのアクセスを取り戻すための身代金として、約5万1千米ドルを要求されました。

証券会社へのランサムウェア攻撃で5百万ドル以上が消失

2023年2月、東アジアに数多くの顧客基盤を持つ中堅規模の証券会社が、ランサムウェア攻撃に見舞われました。攻撃者は、この証券会社の内部ネットワークにアクセスし、重要なファイルやデータを暗号化して使用できなくしました。