BadCyber reported a major compromise affecting multiple Polish commercial banks after unusual network traffic and unauthorized files were found on workstations and servers. The suspected infection source was the Polish Financial Supervision Authority website, where a modified JavaScript file loaded an external iframe from sap.misapor[.]ch that could deliver payloads to selected visitors. After exploitation, the malware connected to foreign servers and could support reconnaissance, lateral movement, data exfiltration, and remote-access functionality. The malware was described as previously undocumented, packed and obfuscated, multi-stage, encrypted, and not recognized by available antivirus tools during the initial analysis. BadCyber published hashes and malicious URLs tied to the KNF compromise, including sap.misapor[.]ch and eye-watch[.]in paths, while noting that attacker motivation and the contents of encrypted outbound transfers were still unknown.