Weekly Cyber Round-up

Hazy Hawk leverages DNS misconfigurations to target high-profile organisations 

Infoblox researchers identified a threat actor, named Hazy Hawk, exploiting DNS misconfigurations and hijacking abandoned cloud resources of high-profile organisations since at least December 2023. The group attempts to hijack these domains to host URLs that redirect users to scams and malware via traffic distribution systems. Hazy Hawk is believed to have access to commercial passive DNS services based on its ability to identify gaps in DNS records. In February 2025, Hazy Hawk gained control of subdomains of the United States Center for Disease Control (CDC). Using CNAME hijacking, the group identified and re-registered an inactive Azure website belonging to the organisation, allowing them to replace the official CDC subdomain with ones referencing pornography and other spam advertisements. The group has also been observed targeting Fortune 500 companies, universities, and other government departments.

Malicious PyPI package disguised as Python debugging utility installs backdoor for data theft

On May 13th, 2025, ReversingLabs researchers discovered a new malicious PyPI package, named ‘dbgpkg’, that poses as a Python debugging utility. Upon installation, the package implants a backdoor on the developer’s system, allowing threat actors to execute malicious code and steal sensitive data. The package also creates function wrappers to check if the backdoor is already installed on the target system and executes three curl commands, including downloading a public key, installing the Global Socket Toolkit, and exfiltrating an encrypted connection to a private pastebin. The package has been attributed to the Phoenix Hyena hacktivist gang based on the use of the same backdooring technique. The campaign could also be the work of a copycat actor. 

Copyright infringement lures used to deliver Rhadamanthys stealer to European media organisations

Since the beginning of April 2025, Cybereason researchers observed a phishing campaign leveraging copyright infringement lures to deliver variants of the Rhadamanthys stealer against central and eastern European multimedia organisations. The campaign features similar phishing infrastructure and delivery mechanisms to other campaigns distributing different malware families, suggesting shared tooling, an affiliate model, or coordinated activity with other groups. The emails contain a hyperlink to a supposed PDF document that directs users to a newly registered domain that forces the connection to occur via Microsoft Edge before prompting them to download an archive from Mediafire. The downloaded file contains a legitimate Haihaisoft PDF Reader executable and a malicious DLL that is loaded into the PDF reader’s process via DLL search order hijacking. Once executed, the malware establishes persistence through an Autorun registry key and ultimately downloads Rhadamanthys.

SideWinder APT exploits vulnerabilities to target Asian government institutions with StealerBot 

Acronis researchers uncovered a new SideWinder advanced persistent threat (APT) multi-stage campaign leveraging spear phishing emails and geofenced payloads to deliver StealerBot to high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. SideWinder exploited CVE-2017-0199 and CVE-2017-11882 via Microsoft Word and RTF files, enabling remote code execution to compromise targeted systems when the victim opened the custom crafted file. The Microsoft Word email attachment is used to download an RTF file that triggers the next stage of the attack chain without user interaction. Rather than abusing mshta, SideWinder appears to continue to favour using a shellcode-based loader for malware delivery. The shellcode injects an embedded PE file into the explorer executable via standard Windows API calls, after which StealerBot is delivered via DLL sideloading.