
Suspected Sednit Operation RoundPress targets governments with XSS webmail exploits
ESET researchers identified a Russia-aligned espionage campaign, dubbed Operation RoundPress, targeting high-value webmail servers with different variants of the SpyPress malware. The activity targets government entities and defence companies in Europe, Africa, and South America. The researchers assess with medium confidence that the activity is conducted by the Sednit group. Spearphishing emails containing text about news events contain HTML in the code of the email message, which leverages cross-site scripting vulnerabilities to execute malicious JavaScript in the context of the webmail client web page running in a browser window. The SpyPress JavaScript payloads are reloaded each time the victim opens the malicious email, and steals webmail credentials and collects messages and contact information from the victim’s mailbox.
Hazy Hawk leverages DNS misconfigurations to target high-profile organisations
Infoblox researchers identified a threat actor, named Hazy Hawk, exploiting DNS misconfigurations and hijacking abandoned cloud resources of high-profile organisations since at least December 2023. The group attempts to hijack these domains to host URLs that redirect users to scams and malware via traffic distribution systems. Hazy Hawk is believed to have access to commercial passive DNS services based on its ability to identify gaps in DNS records. In February 2025, Hazy Hawk gained control of subdomains of the United States Center for Disease Control (CDC). Using CNAME hijacking, the group identified and re-registered an inactive Azure website belonging to the organisation, allowing them to replace the official CDC subdomain with ones referencing pornography and other spam advertisements. The group has also been observed targeting Fortune 500 companies, universities, and other government departments.
Malicious PyPI package disguised as Python debugging utility installs backdoor for data theft
On May 13th, 2025, ReversingLabs researchers discovered a new malicious PyPI package, named ‘dbgpkg’, that poses as a Python debugging utility. Upon installation, the package implants a backdoor on the developer’s system, allowing threat actors to execute malicious code and steal sensitive data. The package also creates function wrappers to check if the backdoor is already installed on the target system and executes three curl commands, including downloading a public key, installing the Global Socket Toolkit, and exfiltrating an encrypted connection to a private pastebin. The package has been attributed to the Phoenix Hyena hacktivist gang based on the use of the same backdooring technique. The campaign could also be the work of a copycat actor.
Copyright infringement lures used to deliver Rhadamanthys stealer to European media organisations
Since the beginning of April 2025, Cybereason researchers observed a phishing campaign leveraging copyright infringement lures to deliver variants of the Rhadamanthys stealer against central and eastern European multimedia organisations. The campaign features similar phishing infrastructure and delivery mechanisms to other campaigns distributing different malware families, suggesting shared tooling, an affiliate model, or coordinated activity with other groups. The emails contain a hyperlink to a supposed PDF document that directs users to a newly registered domain that forces the connection to occur via Microsoft Edge before prompting them to download an archive from Mediafire. The downloaded file contains a legitimate Haihaisoft PDF Reader executable and a malicious DLL that is loaded into the PDF reader’s process via DLL search order hijacking. Once executed, the malware establishes persistence through an Autorun registry key and ultimately downloads Rhadamanthys.
SideWinder APT exploits vulnerabilities to target Asian government institutions with StealerBot
Acronis researchers uncovered a new SideWinder advanced persistent threat (APT) multi-stage campaign leveraging spear phishing emails and geofenced payloads to deliver StealerBot to high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. SideWinder exploited CVE-2017-0199 and CVE-2017-11882 via Microsoft Word and RTF files, enabling remote code execution to compromise targeted systems when the victim opened the custom crafted file. The Microsoft Word email attachment is used to download an RTF file that triggers the next stage of the attack chain without user interaction. Rather than abusing mshta, SideWinder appears to continue to favour using a shellcode-based loader for malware delivery. The shellcode injects an embedded PE file into the explorer executable via standard Windows API calls, after which StealerBot is delivered via DLL sideloading.
Ransomware
DragonForce targets rivals in a play for dominanceSophos – May 21 2025VanHelsing ransomware builder leaked on hacking forumBleeping Computer – May 20 2025A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick AssistSophos – May 20 2025Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion GangSecurity Affairs – May 20 2025Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote AccessThe Hacker News – May 19 2025Another Confluence Bites the Dust: Falling to ELPACO-team RansomwareThe DFIR Report – Blog – May 19 2025
Financial Services
GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance CYFIRMA – May 22 2025Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime toolMicrosoft On the Issues Blog – May 21 2025Dero miner zombies biting through Docker APIs to build a cryptojacking hordeKaspersky Lab – May 21 2025Scammers Exploit Tariff Anxiety with Fake Brand StoresForcepoint – May 15 2025Disguised Cyber Risks On The Colombian Shore: The Insurance TrapGroup-IB – May 15 2025
Geopolitics
Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies CISA Alerts – May 21 2025Deepfake Scam Exploits Romanian Presidential Candidates to Lure Victims into Fake ‘Neptun Deep’ InvestmentBitdefender – May 16 2025Polish ruling party reports attack on its website before electionReuters – May 16 2025FDD Uncovers Likely Chinese Intelligence Operation Targeting Recently Laid-Off U.S. Government EmployeesThreat Reports – Foundation for Defense of Democracies – May 15 2025Storm-1516 Deploys AI-Generated Media to Spread Disinformation: Targets European Leaders and Influences Istanbul Peace TalksNCSC-FI Daily News – May 15 2025
High Priority Vulnerabilities
name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2025-4664 | Chrome | 6.3 | 6.0 | |
Related: SAP, DrayTek, and Google Chrome flaws under active exploitation | ||||
CVE-2025-4428 | Endpoint Manager Mobile | 7.2 | 6.9 | |
Related: Continued exploitation of Ivanti EPMM flaws observed | ||||
CVE-2025-34025 | Concerto | 7.2 | 7.2 | |
Related: Multiple zero-day flaws discovered in Versa Concerto | ||||
CVE-2025-32433 | OTP | 10.0 | 9.4 | |
Related: Multiple maximum severity flaws patched in ICS products | ||||
CVE-2025-31324 | NetWeaver | 9.8 | 9.4 | |
Related: SAP NetWeaver flaw exploited by Qilin ransomware gang prior to disclosure |