-
World Leaks, a rebranded ransomware operation, dumped nearly 8.5 terabytes of stolen files from Hungarian media company Mediaworks on the dark web last week.
-
The leaked data reportedly contains internal editorial notes suggesting the company sought Moscow’s assistance to publish content discrediting Ukrainian President Zelensky.
-
In a separate campaign, hackers are now impersonating Microsoft Teams IT support staff to trick employees into installing backdoor malware inside corporate networks.
A cyber-extortion group (World Leaks) just claimed responsibility for a ransomware attack on Mediaworks, a major Hungarian media company linked to Prime Minister Viktor Orbán’s political circle.
The group dumped nearly 8.5 terabytes of allegedly stolen files on their dark website last week.
Ransomware Group Hits Pro-Orbán Media Giant
Mediaworks confirmed the incident on Friday. The company stated that a large volume of illegally obtained data may have reached unauthorized individuals and announced it had launched a formal investigation. Mediaworks also urged journalists not to report on the leaked material, arguing that handling data acquired through criminal means is itself a criminal offense.
According to Mediaworks, obtaining data illegally is a crime, and any use, processing, transmission, or disclosure of such data, in any form, also qualifies as a criminal act.
Independent Hungarian media outlets reported on the breach anyway. The leaked documents reportedly contain notes from a January 2025 editorial meeting, where someone suggested reaching out to Moscow for help producing articles aimed at discrediting the President of Ukraine, Volodymyr Zelensky. Mediaworks then threatened legal action against local outlet Media1 and demanded that it remove its coverage.
Media1 stood its ground. According to the outlet, the request amounted to a censorship attempt with no legal basis. The publication argued the information serves a clear public interest, especially given Hungary’s political direction under Orbán and the country’s contentious relationship with Russia during the ongoing war in Ukraine. Recorded Future News could not independently verify the leaked data or the reported editorial memo.
Mediaworks operates dozens of newspapers, regional dailies, magazines, and online outlets, and is widely seen as part of a pro-government media network. World Leaks surfaced in early 2025 as a rebrand of the Hunters International ransomware operation.
The group focuses on stealing and threatening to publish sensitive data rather than encrypting victims’ systems. The Mediaworks attack appears to be its first known operation in Hungary.
Hackers Impersonate Microsoft Teams IT Support to Plant Malware
A separate and equally troubling campaign is now targeting corporate employees through Microsoft Teams. Mandiant, the Google-owned cybersecurity firm, published a new report attributing the operation to a newly identified threat cluster called UNC6692. The group weaponizes email flooding, phishing messages, and malicious browser extensions to infiltrate company networks.
The attack begins with a wave of emails flooding the target’s inbox. The attacker then contacts the victim on Microsoft Teams, posing as an IT support worker from outside their organization and offering help with the disruption. The attacker instructs the victim to install what appears to be a patch designed to stop the spam.
Clicking that link opens a counterfeit website disguised as a “Mailbox Repair Utility.” The site instructs the user to download a script that installs a malicious browser extension called SnowBelt.
SnowBelt works as a backdoor, allowing attackers to retain access to corporate accounts and move through internal systems without repeated authentication. Once active, the extension downloads additional malware tools called SnowGlaze and SnowBasin, along with scripts that run further malicious code.
What Both Attacks Reveal
Both incidents highlight how targeted and deliberate modern cyberattacks have become. World Leaks chose a politically sensitive media company, and UNC6692 chose the workplace tool that employees trust most. The damage in both cases extends far beyond stolen data.
The Mediaworks breach carries political consequences that could shape an entire country’s media narrative. The Teams campaign proves that even a routine IT support conversation can become a doorway into a corporate network.
We’ve documented similar Microsoft Teams impersonation campaigns that show just how effective this tactic has become for attackers. Verifying IT requests through official internal channels, avoiding unsolicited download links, and monitoring accounts for unusual activity remain the most practical defenses available today.
