Enterprise data backup provider Commvault has confirmed that a nation-state threat actor breached its Microsoft Azure environment using a previously unknown zero-day vulnerability (CVE-2025-3928). The company, said that there is no evidence of unauthorized access to customer backup data or disruption to its operations.
SonicWall updated its security advisories, confirming that vulnerabilities CVE-2023-44221 and CVE-2024-38475 are being actively exploited in the wild. The first vulnerability, a post-authentication OS command injection, and the second, a technique allowing unauthorized file access leading to session hijacking, pose significant risks. SonicWall urged customers to check their devices for signs of unauthorized logins. The identity of the threat actor and the scale of the attacks remain unclear.
Security researchers at Orange Cyberdefense have warned of active exploitation of two zero-day vulnerabilities in Craft CMS, which have been chained together by threat actors in ongoing attacks to breach servers and steal data. The vulnerabilities—CVE-2025-32432, a remote code execution (RCE) flaw in Craft CMS, and CVE-2024-58136, an input validation issue in the Yii framework used by Craft—were discovered during a forensic investigation by Orange Cyberdefense’s Computer Security Incident Response Team (CSIRT). According to a technical report by SensePost, Orange Cyberdefense’s ethical hacking unit, attackers leveraged the chain of vulnerabilities to deploy a PHP file manager onto compromised servers, enabling deeper system access and data exfiltration.
The Google Threat Intelligence Group (GTIG) reported tracking 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but still above the 63 identified in 2022. The vulnerabilities were divided into two main categories: end-user platforms and products, and enterprise-focused technologies. Enterprise-specific technologies made up a growing share of overall zero-day exploitation, rising from 37% in 2023 to 44% in 2024. The majority of these involved security and networking software and appliances. GTIG observed that 20 of the 33 zero-days affecting enterprise technologies targeted these products specifically.
Specialists from CERT-UA, part of Ukraine’s State Service for Special Communications and Information Protection (SSSCIP), released a report titled “Russian Cyber Operations H2'2024,” analyzing cyber threats in the second half of 2024. The report highlights a 48% increase in cyber incidents compared to the first half of the year, with more complex attacks targeting sensitive systems. Russian hacker groups are using automation, supply chain attacks, and blending espionage with sabotage tactics. The primary focus of these cyberattacks has been intelligence gathering, especially data affecting military operations, including targeting situational awareness systems and defense enterprises.
French cybersecurity agency ANSSI released a report detailing espionage campaigns associated with Russian state-sponsored hacker collective APT28 that has targeted entities located in France, as well as governmental entities in European countries, including foreign affairs departments, political parties, foundations and associations, and entities from the sectors of defense, logistics, arms industry, aerospace, and IT.
ESET researchers have analyzed Spellbinder, a tool used by the China-aligned threat actor group TheWizards for lateral movement and adversary-in-the-middle (AitM) attacks. The tool exploits IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing to intercept and redirect traffic on compromised networks, enabling the attackers to manipulate legitimate Chinese software updates. By hijacking the update process, TheWizards serve malicious updates that download and execute backdoors like WizardNet.
Trend Micro has spotted a new cyber-espionage campaign by Earth Kasha, a group linked to China's APT10, targeting Taiwan and Japan as of March 2025. The campaign employs spear-phishing emails to deploy an updated version of the ANEL backdoor. Earth Kasha, active since at least 2017, is known for regularly evolving its tactics and previously focused on Japanese political and research institutions. The latest activity broadens its scope to include government agencies and public institutions in both countries, with espionage and information theft as the likely motives.
Another Trend Micro report reveals that North Korea’s cybercrime operations are increasingly relying on internet infrastructure based in Russia. Specifically, hacking activities attributed to North Korean-aligned groups like Void Dokkaebi (also known as "Famous Chollima") have been linked to IP addresses in the Russian city of Khabarovsk and the nearby border village of Khasan. This suggests that Moscow’s networks are becoming a key part of Pyongyang's cybercriminal activities, which include major thefts and deceptive online campaigns.
Cybersecurity firm SentinelOne has discovered reconnaissance activity orchestrated by a suspected China-aligned threat group dubbed PurpleHaze, which targeted the company’s infrastructure and some of its high-value customers. In its latest campaign, the group also targeted an unnamed South Asian government-affiliated entity in October 2024, deploying a Windows backdoor named GoReShell. The implant, developed in Go and leveraging the open-source reverse_ssh tool, facilitated reverse SSH connections to attacker-controlled systems via a decentralized Operational Relay Box (ORB) network, a tactic increasingly used to complicate attribution and detection.
A coordinated spear phishing campaign has targeted senior members of the exiled Uyghur community, delivering surveillance malware through a compromised version of UyghurEditPP, a trusted language tool. According to a report by The Citizen Lab, in March 2025, officials from the Munich-based World Uyghur Congress received alerts about attempts to breach their accounts. Forensic analysis confirmed that the attacks used a trojanized version of the open-source text editor to deploy Windows malware.
The US Federal Bureau of Investigation announced a $10 million reward for information leading to the identification or disruption of Salt Typhoon, a state-sponsored Chinese hacking group responsible for a widespread cyber-espionage campaign against US telecommunications providers and the US Treasury.
Palo Alto's Unit 42 researchers have discovered a new C#-based information-stealing malware called Gremlin Stealer. Active since mid-March 2025 and promoted via a Telegram group, the malware is designed to exfiltrate sensitive data from infected systems. It targets information from browsers, the clipboard, and local disk, stealing credit card details, browser cookies, crypto wallet data, as well as FTP and VPN credentials. The stolen data is then uploaded to a web server for potential public exposure.
A new report from Recorded Future's Insikt Group looks into a malware loader known as ’MintsLoader’ that deploys second-stage payloads including GhostWeaver, StealC, and a customized version of the BOINC (Berkeley Open Infrastructure for Network Computing) client. MintsLoader executes through a multi-stage infection process that utilizes heavily obfuscated JavaScript and PowerShell scripts. The malware incorporates evasion techniques to bypass sandbox and virtual machine environments, leverages a domain generation algorithm (DGA), and communicates with its command-and-control (C2) server via HTTP.
Silent Push threat analysts detected a scam campaign dubbed “Power Parasites,” which exploits deceptive websites, social media groups, and Telegram channels to conduct job and investment scams. Primarily targeting individuals in Asian countries such as Bangladesh, Nepal, and India, the campaign impersonates major global energy brands, including Siemens Energy, Schneider Electric, EDF Energy, Repsol S.A., and Suncor Energy, to lend credibility to its fraudulent schemes.
Cybercriminals are running sophisticated subscription scam campaigns using fake websites that appear highly convincing, according to Bitdefender researchers. The scams often involve “mystery box” offers to lure victims into monthly subscriptions and collect credit card information. The fraudulent sites claim to sell items like clothing, electronics, and fake investments, and are heavily promoted through Facebook pages, paid ads, and impersonation of content creators. Bitdefender linked over 200 of these scam sites to a single address in Cyprus, likely tied to an offshore company, with many still active.
The FortiGuard Incident Response (FGIR) team has shared its findings pertaining a prolonged cyber intrusion targeting critical national infrastructure in the Middle East, linked to an Iranian state-sponsored threat group. Active from at least May 2023 to February 2025, with traces going back to May 2021, the attack focused on espionage and potential network prepositioning. Attackers initially breached the network using stolen VPN credentials and maintained access through multiple web shells and backdoors such as Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They circumvented network segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.
Anthropic has disclosed that unknown threat actors exploited its Claude AI chatbot in a covert “influence-as-a-service” campaign on Facebook and X. The operation, financially motivated and now disrupted, used AI to create around 100 fake politically-aligned personas that interacted with tens of thousands of real accounts. It aimed to subtly amplify moderate political narratives related to European, Iranian, UAE, and Kenyan interests, such as promoting the UAE business environment and criticizing European regulations.
On the same note, new research from cybersecurity firm Tenable has revealed that the same techniques making Anthropic’s Model Context Protocol (MCP) vulnerable to prompt injection attacks could also be used to improve AI security tooling or to detect malicious behaviors within systems using MCP.
Major US-based crypto platform Kraken caught a North Korean hacker attempting to infiltrate the company through a job application. The hacker applied for an engineering role, but Kraken's team quickly identified suspicious behavior during the interview process. The candidate used a fake name, switched voices, and was likely coached in real-time. Their email matched known hacker-linked addresses, and other clues, like altered ID and ties to a past data breach, raised red flags. The team set a trap during a "casual chemistry interview," where the imposter failed to answer basic questions, confirming their fraudulent intent.
A newly launched cryptocurrency exchange named Grinex may be a rebrand of the sanctioned Russian platform Garantex shut down by US authorities in March. According to a new report from TRM Labs, Grinex shows “strong ties” to Garantex, a crypto exchange that was officially registered in Estonia but operated largely out of Russia. Garantex was sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) in April 2022 for facilitating billions in illicit transactions tied to ransomware gangs and darknet markets, including Conti, Hydra, and Solaris.
A 23-year-old Scottish man accused of being a key player in the notorious Scattered Spider cybercrime group has been extradited to the United States from Spain. Tyler Buchanan was arrested last year in Palma de Mallorca, when he was about to leave the country for Naples on a chartered flight and now faces multiple federal charges, including conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
Artem Stryzhak, a Ukrainian national, was extradited from Spain to the United States on April 30, 2025, to face federal charges for conspiracy related to ransomware attacks using the Nefilim malware. According to a newly unsealed superseding indictment, Stryzhak participated in an international scheme that targeted large companies, primarily in the US, Canada, and Australia,with the Nefilim ransomware, which encrypted victims' data and demanded ransom payments. Stryzhak allegedly joined the operation in 2021, using a platform known as the “panel” and sharing 20% of his ransom profits with the ransomware administrators. The group also stole data to pressure victims by threatening to publish it if ransoms weren’t paid. If convicted, Stryzhak faces up to five years in prison.
Richard Ehiemere, a 21-year-old from East London, was sentenced to 12 months in prison (suspended for 18 months) and given a 10-year Sexual Harm Prevention Order for his involvement in a cybercrime network known as "CVLT," part of a broader misogynistic online group referred to as “Com.” Ehiemere was arrested in April 2021, and a search of his devices uncovered 29 indecent images of children, 142 stolen data lists, and evidence of online criminal activity. CVLT and similar networks exploit and coerce girls online, using tactics such as doxxing and blackmail to force victims into sexual acts and even self-harm, with some cases leading to suicide.
Ryan Kramer, a 25-year-old man who used the alias “NullBulge,” has pleaded guilty to hacking into Disney's internal systems and stealing over 1.1 terabytes of data. Posing as a developer of an AI image generator, Kramer distributed malware through platforms like GitHub. When a Disney employee installed the program, Kramer accessed his device and stole credentials, including from his 1Password manager. Using these, Kramer infiltrated Disney's Slack channels and stole sensitive company data. He later threatened the employee, pretending to be a Russian hacktivist group, in an extortion attempt. Kramer faces up to 10 years in prison and admitted two other individuals had also installed his malware.
The FBI’s Internet Crime Complaint Center (IC3) has released a list of over 42,000 domain names associated with LabHost, a major phishing-as-a-service (PhaaS) platform dismantled in April 2024. LabHost enabled cybercriminals to deploy phishing kits impersonating over 200 organizations, including banks and government entities. The platform provided tools like fake login pages, adversary-in-the-middle attacks to capture 2FA codes, smishing capabilities, and credential management services.
Europol has launched a new international taskforce aimed at dismantling the growing number of organized criminal groups recruiting young people to carry out cyber and physical crimes under the model of so-called “violence-as-a-service.” Europol warns that many of these young perpetrators are groomed and recruited through encrypted messaging apps and social media platforms using coded language, memes, and gamified tasks to appeal to teenagers' desire for community and identity.
