Skip to main content
Skip to footer
Russia-linked Void Blizzard targets NATO members and Ukraine for espionage
Microsoft researchers identified a new suspected Russian threat actor, dubbed Void Blizzard, that has been active since at least April 2024. Void Blizzard primarily targets critical sectors in NATO member countries and Ukraine, with many targeted organisations having previously been targeted by other Russia-linked actors, suggesting shared espionage and intelligence collection interests. Void Blizzard initially relied on stolen credentials or password spraying for initial access to Microsoft Exchange and Microsoft SharePoint Online instances. In April 2025, the group began shifting its initial access vector to spear phishing, including via fake Microsoft Entra login portals. Following initial access, Void Blizzard abuses legitimate cloud APIs to enumerate users’ mailboxes before collecting cloud-hosted data, mailboxes, or file shares in bulk. In some cases, Void Blizzard has also accessed Microsoft Teams communications and messages via the web client application or enumerated a compromised organisation’s Microsoft Entra ID configuration via the AzureHound tool.
UNC6032 uses fake AI video generator websites to distribute malware and steal credentials
Since November 2024, Mandiant researchers have observed an ongoing, global UNC6032 campaign leveraging fake artificial intelligence (AI) video generator websites to distribute malware and deploy Python-based infostealers and several backdoors. The campaign aims to steal login credentials, cookies, credit card data, and Facebook information. Since mid-2024, more than 30 websites distributing thousands of advertisements have been identified, with most of the sites advertised on Facebook and some on LinkedIn. The phishing sites include a fake video generation button, which leads to the installation of a ZIP file and a malicious binary containing the STARKVEIL dropper. STARKVEIL is executed twice, first dropping three modular malware families, the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader, before spawning a Python launcher for the COILHATCH dropper during its second execution. UNC6032 is suspected to have a Vietnam nexus.
UNC5221 exploits Ivanti EPMM flaws to target organisations in critical sectors globally
EclecticIQ researchers observed the active exploitation of two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, to target organisations across multiple critical sectors in Europe, North America, and the Asia-Pacific region. The earliest observed exploitation activity dates back to May 15th, 2025. The flaws were exploited to gain initial access, after which the attackers used Java-based commands to execute malicious processes on compromised systems. One of the commands was used to obtain an interactive reverse shell, allowing for continued communication between the attacker and the victim system, while another was used for arbitrary command execution. The attackers also conducted host reconnaissance using obfuscated shell commands and a Fast Reverse Proxy, after which they deployed KrustyLoader malware via Amazon AWS S3 buckets to deliver the Sliver backdoor and establish persistence. The threat actors also targeted the ‘mifs’ database by making use of hardcoded MySQL database credentials.
Earth Lamia exploits SQL vulnerabilities and uses custom tools to exfiltrate data from targets
Trend Micro researchers identified a China-linked advanced persistent threat (APT), dubbed Earth Lamia, that has been exploiting SQL injection vulnerabilities on web applications to exfiltrate data since 2023. The group mainly targets organisations in Brazil, India, and Southeast Asia, initially focusing on the financial industry in H1 2024, before shifting to the logistics and online retail industries in H2 2024, and more recently to IT companies, universities, and government organisations. Earth Lamia frequently conducts vulnerability scans to identify potential SQL injection flaws on targets’ websites, attempting to open a system shell via tools such as ‘sqlmap’ to gain remote access to SQL servers. After successfully exploiting a flaw, Earth Lamia performs various lateral movement activities and commands that allow them to directly access and exfiltrate databases. The group leverages numerous open-source tools like Brute Ratel and Cobalt Strike, but also continuously develops its own custom tools, including the PULSEPACK backdoor and the BypassBoss privilege escalation tool.
On May 7th, 2025, EclecticIQ researchers observed the advanced persistent threat (APT) actor, Bitter APT, targeting Pakistan Telecommunication Co Ltd (PTCL) employees with a new variant of WmRAT. Bitter APT likely used credentials stolen from Pakistan’s Counter Terrorism Department (CTD) via StealC to send its spear phishing emails. The timing of the attack coincided with the reported military confrontations between India and Pakistan, likely to target Pakistan’s telecommunications sector amid regional tensions. The emails contained an internet query containing a malicious Excel macro attachment that used the Windows command line to download and execute WmRAT. After executing the file, the threat actors established a connection to a C2 domain previously linked to Bitter APT.
Ransomware
Interlock ransomware gang deploys new NodeSnake RAT on universitiesHEAL Security – May 28 2025Iranian Man Pleaded Guilty to Role in Robbinhood RansomwareDepartment of Justice US – Antitrust Division – May 27 2025DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customersSophos – May 27 2025FBI warns of Luna Moth extortion attacks targeting law firmsBleeping Computer – May 23 2025Operation ENDGAME strikes again: the ransomware kill chain broken at its sourceEuropol – May 23 2025
Financial Services
Zanubis in motion: Tracing the active evolution of the Android banking malwareKaspersky Lab – May 28 2025Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to HackersThe Hacker News – May 27 2025Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday LoaderMedium Cybersecurity – May 26 2025“Anti-Ledger” malware: The battle for Ledger Live seed phrasesNCSC-FI Daily News – May 23 2025Sophisticated & Stealthy Formjacking Malware Targets E-Commerce Checkout PagesWordfence – May 21 2025
Geopolitics
Mark Your Calendar: APT41 Innovative TacticsMandiant.com – May 28 2025Statement by the Government of the Czech RepublicMinistry of Foreign Affairs of the Czech Republic – May 28 2025Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizationsBi-Zone Blog – May 27 2025Hacktivism Reborn: How a Fading Cyber Threat Has Become a Modern BattlegroundInfosecurity Today – May 26 2025UAT-6382 exploits Cityworks zero-day vulnerability to deliver malwareTalos Intelligence Blog – May 22 2025
High Priority Vulnerabilities
| name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2023-39780 | RT-AX55 | 8.8 | 5.3 | |
| Related: Command injection flaw exploited to create network of backdoored ASUS devices | ||||
| CVE-2023-20118 | RV325 | 7.2 | 6.9 | |
| Related: ViciousTrap turns edge devices into honeypots to monitor for vulnerability exploitation | ||||
| CVE-2025-32432 | CMS | 10.0 | 7.0 | |
| Related: Craft CMS flaw exploited to deliver Mimo loader, XMRig, and IPRoyal Pawns | ||||
| CVE-2025-3928 | Web Server | 9.8 | 9.4 | |
| Related: Exploitation of Commvault flaw likely part of larger campaign targeting SaaS companies | ||||
| CVE-2025-4632 | MagicINFO 9 Server | 9.8 | 7.0 | |
| Related: Critical Samsung MagicINFO 9 Server flaw under actively exploited | ||||