Microsoft, Fortinet, and Ivanti have released critical security patches addressing multiple zero-day vulnerabilities that are currently being exploited in active cyberattacks.
-
Microsoft patched over 70 vulnerabilities, including five zero-days affecting various Windows components. These flaws (CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709) enable privilege escalation and remote code execution, posing significant risks to systems and networks. Users are urged to update immediately.
-
Fortinet addressed a critical buffer overflow vulnerability (CVE-2025-32756) in its FortiVoice product, which also affects other products like FortiMail and FortiCamera. The flaw is being actively exploited, with attackers targeting FortiVoice to steal credentials and evade detection. Customers are advised to patch without delay.
-
Ivanti fixed two severe flaws (CVE-2025-4427 and CVE-2025-4428) in its Endpoint Manager Mobile (EPMM) software, used together to achieve remote code execution via authentication bypass. The vulnerabilities, found in embedded open-source libraries, have affected a limited number of users, and Ivanti is still investigating the full impact.
Additionally, Google rolled out updates to fix four security vulnerabilities in its Chrome web browser, one of which is said to have been exploited in the wild. Tracked as CVE-2025-4664, the flaw is a security restrictions bypass issue that exists due to insufficient policy enforcement in Loader. A remote attacker can trick the victim into visiting a specially crafted website and bypass implemented security restrictions.
The European Union Agency for Cybersecurity (ENISA) launched the European Vulnerability Database (EUVD), which is mandated by the NIS2 Directive for cybersecurity risk management. The EUVD is freely accessible and includes information from vendors, incident response teams, and other databases like CISA’s Known Exploited Vulnerabilities catalog and MITRE’s CVE Program. ENISA, as a CVE Numbering Authority since 2024, can also assign CVE identifiers to vulnerabilities.
ESET cybersecurity researchers have uncovered a cyberespionage campaign dubbed ‘Operation RoundPress’, linked to the Russia-aligned group Sednit (APT28/Fancy Bear/Sofacy). Active since 2023, the operation targets webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. Initially focusing on Roundcube via CVE-2020-35730, the campaign expanded in 2024 to include Horde, Zimbra, and MDaemon—exploiting a zero-day vulnerability (CVE-2024-11182) in the latter. Attackers use spearphishing emails containing malicious JavaScript payloads that execute in vulnerable webmail clients, enabling data theft including emails, contacts, and credentials.
China-nexus Advanced Persistent Threat (APT) groups have launched a coordinated cyber-espionage campaign in April 2025, targeting critical infrastructure via a zero-day vulnerability in SAP NetWeaver Visual Composer. The attackers exploited CVE-2025-31324, an unauthenticated file upload vulnerability enabling remote code execution (RCE), to gain access to enterprise systems globally.
A Chinese-speaking advanced persistent threat (APT) group known as Earth Ammit has been linked to two sophisticated cyberespionage campaigns dubbed ‘VENOM’ and ‘TIDRONE,’ carried out between 2023 and 2024. The campaigns employed supply chain attacks targeting organizations in Taiwan and South Korea, spanning critical industries from military to healthcare.
North Korean state-sponsored threat actor TA406 has launched a series of phishing attacks against Ukrainian government entities, according to a new report from cybersecurity firm Proofpoint. The campaigns, which began in February 2025, aim to harvest credentials and deliver malware, likely to gather intelligence related to the ongoing Russian invasion of Ukraine.
In unrelated news, a new DTEX's report provides a deeper look into how North Korea blends cybercrime, espionage and remote IT workforce schemes to achieve its goals.
Microsoft’s Threat Intelligence team has uncovered a sophisticated espionage campaign by the Türkiye-affiliated threat actor dubbed ‘Marbled Dust,’ exploiting a previously unknown zero-day vulnerability (CVE-2025-27920) in Output Messenger, a popular enterprise messaging app. The operation, active since April 2024, has primarily targeted Kurdish military personnel in Iraq.
Cybersecurity researchers have discovered a new botnet malware called HTTPBot, which has been actively targeting the gaming industry, technology firms, and educational institutions in China. First detected in August 2024, HTTPBot is written in Golang and unusually targets Windows systems. It uses HTTP protocols to launch highly simulated HTTP Flood DDoS attacks, employing dynamic feature obfuscation to evade traditional detection methods. According to a recent NSFOCUS report, the malware has been spreading aggressively and is specifically designed to disrupt critical business functions like game login and payment systems.
A new malware campaign has been using a PowerShell-based shellcode loader to deploy the Remcos remote access trojan (RAT). According to Qualys researchers, attackers distribute malicious ZIP archives containing Windows shortcut (LNK) files, often disguised as Office documents with tax-related lures. The LNK files exploit the legitimate Windows tool mshta.exe to execute malicious code, enabling the stealthy deployment of the Remcos RAT.
Cryptocurrency exchange Coinbase has revealed a data breach affecting a small portion of its users after cybercriminals bribed overseas customer support agents, mainly in India, to steal sensitive account information. The breach impacted less than 1% of monthly transacting users and included personal data such as names, addresses, contact info, partial Social Security and bank account numbers, government ID images, and account details. No passwords, private keys, funds, or Coinbase Prime accounts were compromised. The attackers attempted to extort $20 million from Coinbase, but failed. All involved employees have been terminated.
The US FBI has issued a warning about a major fraud campaign in which scammers are using deepfakes to impersonate senior US officials. Active since April, the campaign primarily targets current and former government officials in an effort to steal login credentials for official accounts. Once access is gained, the attackers attempt to compromise additional government systems and collect financial account information.
Twelve additional individuals have been charged in a RICO conspiracy involving the theft of over $230 million in cryptocurrency and subsequent laundering of the funds through exchanges and mixers. The criminal enterprise, active from at least October 2023 to March 2025, originated from friendships on online gaming platforms.
Members held specific roles such as hackers, organizers, social engineers, money launderers, and burglars. They obtained data through hacking or purchasing on the dark web, identified valuable targets, and used social engineering to access accounts.
The stolen funds were used to finance an extravagant lifestyle, including luxury goods, exotic cars, and private jets. The laundering process involved complex tactics to conceal identities. In one instance, a suspect broke into a victim's home to steal a hardware wallet, while another tracked the victim via iCloud. Two suspects remain at large, believed to be in Dubai.
Telegram has shut down two major Chinese-language darknet marketplaces, Haowang Guarantee (formerly Huione Guarantee), which facilitated over $27 billion in illicit transactions, and Xinbi Guarantee. The ban, enacted on May 13, disabled thousands of associated accounts that served as the marketplace's infrastructure.
According to blockchain firm Elliptic, the broader Huione Group, a Cambodian conglomerate with interests in various industries, including a payments business, Huione Pay, enabled over $98 billion in crypto transactions. The marketplace offered services to crypto scammers, including money laundering, stolen data for pig butchering scams, telecom tools, deepfake software, and even physical restraint devices used in scam call centers in Southeast Asia.
In a major international law enforcement effort dubbed ‘Operation Moonlander’, authorities dismantled two illicit online services, Anyproxy and 5Socks, which operated using a botnet of hacked internet-connected devices. Marketed as legitimate residential proxy networks, these platforms were actually built on compromised routers exploited by cybercriminals. Four individuals, three Russians and one Kazakh, were indicted for hijacking devices globally through known router vulnerabilities. In a separate action, German authorities shut down the crypto swapping service eXch, seizing over 8 terabytes of data and around €34 million in cryptocurrency.
Liridon Masurica, a 33-year-old citizen of Kosovo, was extradited to the United States on May 9, 2025, after being arrested by Kosovar authorities in December 2024. He faces federal charges for operating BlackDB.cc, a notorious online criminal marketplace that trafficked in stolen data, including compromised server credentials and credit card information. Masurica, known by the alias ‘@blackdb,’ is charged with conspiracy to commit access device fraud and fraudulent use of unauthorized access devices. He is currently detained pending trial. Additionally, Moldovan authorities arrested a 45-year-old foreign national linked to the DoppelPaymer ransomware attacks, with support from Dutch law enforcement.
Europol has dismantled a criminal network behind fake investment websites that defrauded victims of over €3 million. The operation took place in two phases, with arrests made in 2022 and another suspect apprehended this week in Cyprus. Seven additional gang members are still at large. Separately, authorities in Côte d'Ivoire arrested four men involved in global sextortion schemes. The US Justice Department said that at least one teenager took their own life as a result of the extortion.
