Google has reported that a Chinese state-sponsored hacking group APT41 is using a new malware called TOUGHPROGRESS, which exploits Google Calendar for its command-and-control (C2) communications. Discovered in October 2024 by Google’s Threat Intelligence Group, the campaign originated from a compromised government website and targeted other government entities. Separately, researchers at Cofense discovered another campaign that abuses Google Apps Script to host phishing pages. The pages mimic legitimate login screens and are delivered via emails disguised as invoices to steal user credentials.
Trend Micro has released an in-depth report detailing a China-nexus advanced persistent threat (APT) group known as Earth Lamia, which has been conducting targeted cyber espionage campaigns across Brazil, India, and Southeast Asia since at least 2023. The group has aggressively shifted focus across industries over time, moving from financial sectors to logistics, retail, and now to IT firms, academic institutions, and government organizations in 2025.
This week, the Czech government has officially accused China of a cyberespionage campaign targeting a communications system used by its foreign ministry. The campaign, active since 2022, is attributed to the APT31 group, believed to be affiliated with China’s Ministry of State Security. While the breached network did not contain classified information, it is considered part of the Czech Republic’s critical infrastructure.
The Microsoft Threat Intelligence Center (MSTIC) has uncovered a cloud abuse campaign attributed to a Russian-affiliated cyber threat group known as Void Blizzard. Dutch intelligence tracks this group as Laundry Bear. The agency said that this threat actor was behind attacks last year on the networks of the Dutch police, NATO and several European countries.
Ukraine's SSSCIP has released a comprehensive report detailing cyber threats encountered in the three years since Russia's invasion. According to the agency, Sandworm (UAC-0002) was the most active Russian advanced persistent threat (APT) group during this period. The report also said that Russian hackers breached 12 Ukrainian telecommunications companies within just three months in 2023.
A sophisticated botnet campaign, dubbed AyySSHush, has compromised more than 9,000 ASUS routers, with evidence suggesting the activity may be the work of a nation-state threat actor. The attackers are exploiting a known command injection flaw (CVE-2023-39780) on ASUS router models RT-AC3100, RT-AC3200, and RT-AX55. By leveraging official ASUS configuration features, attackers add their own SSH key and enable SSH access on a non-standard port (TCP 53282). This backdoor access survives firmware upgrades, making removal particularly difficult.
A sophisticated ransomware campaign linked to the notorious DragonForce gang has breached a managed service provider (MSP), exploiting vulnerabilities in the SimpleHelp remote monitoring and management (RMM) platform to deploy ransomware and steal sensitive data from downstream customers. According to a detailed investigation conducted by cybersecurity firm Sophos, the attackers leveraged a chain of now patched vulnerabilities in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) to infiltrate the MSP's infrastructure. Once inside, they used the RMM platform to conduct reconnaissance and subsequently launch attacks on connected client networks.
IT management software provider ConnectWise has disclosed a security breach attributed to a suspected state-sponsored threat actor. The breach affected a small number of customers using its ScreenConnect product. The intrusion, believed to have occurred in November 2024, appears to have been exploiting a vulnerability (CVE-2025-3935) that allowed remote code execution through ViewState code injection in older versions of ScreenConnect (25.2.3 and earlier). ConnectWise has since patched the flaw, notified impacted customers, and is working with Mandiant and law enforcement to investigate the incident.
Elastic Security Labs has uncovered two sophisticated cyber campaigns. The first involves a novel Rust-based infostealer named EDDIESTEALER, distributed through fake CAPTCHA verification pages. Victims are tricked into executing a malicious PowerShell script, which installs the malware to steal credentials, browser data, and cryptocurrency wallet information. The malware is hosted across multiple adversary-controlled websites.
Another unrelated campaign observed by Elastic targets vulnerable Linux servers, beginning with an Apache2 web server compromise in March 2024. Threat actors deployed a complex intrusion set featuring C2 channels disguised as kernel processes, Telegram bots for communication, and cron jobs for persistence. Malware families used include KAIJI (for DDoS attacks) and RUDEDEVIL (a crypto miner), along with custom tools. Evidence points to a Bitcoin/XMR mining and potential money laundering scheme using gambling APIs.
Mandiant Threat Defense has detailed a sophisticated cyber campaign by threat actor UNC6032 that exploits public interest in AI video generation tools to distribute malware at scale. Since November 2024, Mandiant has tracked UNC6032’s operations, which leverage fake “AI video generator” websites mimicking legitimate platforms like Luma AI, Canva Dream Lab, and Kling AI. Promoted through malicious ads on social media platforms, mainly Facebook and LinkedIn, thee sites entice users with promises of cutting-edge AI-generated video capabilities. Instead, they serve malware-laced payloads, including a Python-based infostealer and multiple backdoors.
A new malicious campaign is exploiting search engine optimization (SEO) poisoning to target employee mobile devices and commit payroll fraud. The campaign involves fake login pages that mimic employee payroll portals. When unsuspecting users enter their credentials, the attackers gain access to the real payroll system and reroute paychecks to bank accounts under their control.
Threat actors are leveraging fake installers for popular software like LetsVPN and QQ Browser to deploy a malware framework known as Winos 4.0. First detected in February 2025, the campaign uses a stealthy, memory-resident loader dubbed Catena, which stages payloads entirely in memory to evade traditional antivirus tools. Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory. It then connects to attacker-controlled servers, mostly hosted in Hong Kong, for further instructions or malware.
Over 44,000 IP addresses were found infected with the Latrodectus malware before a major international law enforcement operation dubbed ‘Operation Endgame’, disrupted its spread. Latrodectus is a Windows-based downloader used to deploy banking trojans like IcedID and QakBot, often through malicious emails. It shares characteristics with other malware such as Pikabot. Most infections were reported in the US, Germany, France, the UK, and Brazil. On May 23rd, Europol and global partners took down 300 servers, 650 domains, and issued 20 arrest warrants, targeting multiple malware families including Latrodectus. However, the infected IPs may still pose an active threat.
Fortinet’s FortiGuard Incident Response Team uncovered a remote access trojan (RAT) that had been active on a compromised Windows machine for several weeks. The attacker used batch scripts and PowerShell to execute the malware, which featured corrupted DOS and PE headers to evade detection. Analysis revealed that the RAT had multiple capabilities, including capturing screenshots, manipulating system services, and functioning as a server to receive incoming connections from remote clients.
A new Go-based botnet malware called 'PumaBot' is targeting embedded IoT devices by brute-forcing SSH credentials. Unlike typical botnets that scan the internet broadly, PumaBot focuses on specific IP addresses retrieved from its command-and-control (C2) server, making its attacks more targeted. Once access is gained, it deploys malicious payloads to compromise the devices.
SquareX has released a new threat research report detailing an advanced Browser-in-the-Middle (BitM) attack targeting Safari users. The attack, dubbed ‘Fullscreen BitM’, leverages standard browser features to convincingly mask fake login pages as legitimate ones, without relying on weaknesses or vulnerabilities. By exploiting the browser's fullscreen mode, attackers can create deceptive interfaces that appear genuine, leading users to unknowingly enter their credentials into malicious sites.
Cybercriminals are distributing the VenomRAT infostealer through a fake Bitdefender antivirus website that mimics the official Windows download page. When users click the fake “Download for Windows” button, they receive a malicious archive containing executables that deploy VenomRAT. The malware enables remote access, keylogging, and data theft. Researchers at DomainTools also found traces of two open-source malware tools SilentTrinity and StormKitty, indicating a dual attack strategy: harvesting financial and crypto credentials with StormKitty, while maintaining persistent access using SilentTrinity.
The FBI has issued a warning to US law firms about a persistent cyber extortion campaign being carried out by a threat group known as the Silent Ransom Group (SRG), also referred to as Luna Moth, Chatty Spider, and UNC3753. Active since 2022, the group has been using sophisticated callback phishing and social engineering tactics to infiltrate corporate networks. According to a private industry notification, SRG has been targeting legal and financial institutions by impersonating IT support personnel via email, fake websites, and phone calls. Once a victim engages, attackers direct them to initiate remote access sessions under the guise of resolving technical issues.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on the Philippines-based Funnull Technology Inc. and its administrator Liu Lizhi. They are accused of supporting romance baiting scams and ‘pig butchering’ schemes through infrastructure that enabled thousands of fraudulent cryptocurrency investment websites. The scams have led to billions of dollars in losses for Americans, with Funnull directly linked to over $200 million in victim-reported losses. The average individual loss exceeds $150,000. Additionally, the FBI has shared the Indicators of Compromise (IoCs) associated with malicious cyber activities linked to Funnull.
Pakistani authorities have arrested 21 people accused of running Heartsender, a spam operation that sold phishing kits targeting services like Microsoft 365, Yahoo, AOL, and others. The National Cyber Crime Investigation Agency (NCCIA) carried out raids in Lahore and Multan on May 15–16. The group’s tools are linked to over $50 million in losses in the US, with European officials probing 63 more cases.
Spain’s National Police dismantled a highly sophisticated cybercriminal network responsible for a series of sustained cyberattacks targeting critical infrastructure and public institutions. In a coordinated international operation dubbed “Borraska,” four individuals were arrested on Tuesday — two in Madrid, one in Córdoba, and one in Andorra. The suspects are accused of forming part of an advanced criminal organization engaged in cyberattacks, data exploitation, and money laundering.
A 37-year-old Iranian national pleaded guilty in a US court for his role in the Robbinhood ransomware and extortion scheme that crippled city governments, corporations, and healthcare providers across the United States. Sina Gholinejad admitted to participating in the deployment of the Robbinhood ransomware variant, which encrypted victims' files and demanded Bitcoin payments in exchange for decryption keys. The attacks, which began in early 2019, resulted in tens of millions of dollars in damages.
The Security Service of Ukraine (SBU) and the National Police have dismantled a covert espionage network working for Russian intelligence, which used vehicle dashcams to guide missile strikes on critical Ukrainian defense infrastructure across seven regions of the country.
Meta announced in its Q1 2025 Adversarial Threat Report that it had disrupted three covert influence campaigns from Iran, China, and Romania. The Romanian operation involved 658 fake Facebook accounts, 14 Pages, and two Instagram accounts aimed at manipulating public discourse. The accounts posed as locals and posted content on sports, travel, and local news, while also promoting external websites and engaging with political and news content. One Facebook Page had over 18,000 followers. Meta said it removed the campaigns before they could build authentic audiences.
The UK government has created a new Cyber and Electromagnetic Command within its armed forces to oversee both defensive and offensive cyber operations in support of military missions. Additionally, the government plans to invest £1 billion in advanced battlefield systems to enhance coordination across military branches.