The Silobreaker Weekly Geopolitical Risk Briefs

Download Report

Weekly Cyber Round-up

Intelligence Report

May 22, 2025

Suspected Sednit Operation RoundPress targets governments with XSS webmail exploits 

ESET researchers identified a Russia-aligned espionage campaign, dubbed Operation RoundPress, targeting high-value webmail servers with different variants of the SpyPress malware. The activity targets government entities and defence companies in Europe, Africa, and South America. The researchers assess with medium confidence that the activity is conducted by the Sednit group. Spearphishing emails containing text about news events contain HTML in the code of the email message, which leverages cross-site scripting vulnerabilities to execute malicious JavaScript in the context of the webmail client web page running in a browser window. The SpyPress JavaScript payloads are reloaded each time the victim opens the malicious email, and steals webmail credentials and collects messages and contact information from the victim’s mailbox.  

Get the alert delivered directly to your inbox

Hazy Hawk leverages DNS misconfigurations to target high-profile organisations 

Infoblox researchers identified a threat actor, named Hazy Hawk, exploiting DNS misconfigurations and hijacking abandoned cloud resources of high-profile organisations since at least December 2023. The group attempts to hijack these domains to host URLs that redirect users to scams and malware via traffic distribution systems. Hazy Hawk is believed to have access to commercial passive DNS services based on its ability to identify gaps in DNS records. In February 2025, Hazy Hawk gained control of subdomains of the United States Center for Disease Control (CDC). Using CNAME hijacking, the group identified and re-registered an inactive Azure website belonging to the organisation, allowing them to replace the official CDC subdomain with ones referencing pornography and other spam advertisements. The group has also been observed targeting Fortune 500 companies, universities, and other government departments.

Malicious PyPI package disguised as Python debugging utility installs backdoor for data theft

On May 13th, 2025, ReversingLabs researchers discovered a new malicious PyPI package, named ‘dbgpkg’, that poses as a Python debugging utility. Upon installation, the package implants a backdoor on the developer’s system, allowing threat actors to execute malicious code and steal sensitive data. The package also creates function wrappers to check if the backdoor is already installed on the target system and executes three curl commands, including downloading a public key, installing the Global Socket Toolkit, and exfiltrating an encrypted connection to a private pastebin. The package has been attributed to the Phoenix Hyena hacktivist gang based on the use of the same backdooring technique. The campaign could also be the work of a copycat actor. 

Copyright infringement lures used to deliver Rhadamanthys stealer to European media organisations

Since the beginning of April 2025, Cybereason researchers observed a phishing campaign leveraging copyright infringement lures to deliver variants of the Rhadamanthys stealer against central and eastern European multimedia organisations. The campaign features similar phishing infrastructure and delivery mechanisms to other campaigns distributing different malware families, suggesting shared tooling, an affiliate model, or coordinated activity with other groups. The emails contain a hyperlink to a supposed PDF document that directs users to a newly registered domain that forces the connection to occur via Microsoft Edge before prompting them to download an archive from Mediafire. The downloaded file contains a legitimate Haihaisoft PDF Reader executable and a malicious DLL that is loaded into the PDF reader’s process via DLL search order hijacking. Once executed, the malware establishes persistence through an Autorun registry key and ultimately downloads Rhadamanthys.

SideWinder APT exploits vulnerabilities to target Asian government institutions with StealerBot 

Acronis researchers uncovered a new SideWinder advanced persistent threat (APT) multi-stage campaign leveraging spear phishing emails and geofenced payloads to deliver StealerBot to high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. SideWinder exploited CVE-2017-0199 and CVE-2017-11882 via Microsoft Word and RTF files, enabling remote code execution to compromise targeted systems when the victim opened the custom crafted file. The Microsoft Word email attachment is used to download an RTF file that triggers the next stage of the attack chain without user interaction. Rather than abusing mshta, SideWinder appears to continue to favour using a shellcode-based loader for malware delivery. The shellcode injects an embedded PE file into the explorer executable via standard Windows API calls, after which StealerBot is delivered via DLL sideloading.

 

High Priority Vulnerabilities

name Software Base
Score
Temp
Score
CVE-2025-4664 Chrome 6.3 6.0
Related: SAP, DrayTek, and Google Chrome flaws under active exploitation
CVE-2025-4428 Endpoint Manager Mobile 7.2 6.9
Related: Continued exploitation of Ivanti EPMM flaws observed
CVE-2025-34025 Concerto 7.2 7.2
Related: Multiple zero-day flaws discovered in Versa Concerto
CVE-2025-32433 OTP 10.0 9.4
Related: Multiple maximum severity flaws patched in ICS products
CVE-2025-31324 NetWeaver 9.8 9.4
Related: SAP NetWeaver flaw exploited by Qilin ransomware gang prior to disclosure

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.