From sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source repositories becoming a playground for credential theft and hidden backdoors.
But it’s not all bad news—law enforcement is tightening its grip on cybercriminal networks, with key ransomware figures facing extradition and the security community making strides in uncovering and dismantling active threats. Ethical hackers continue to expose critical flaws, and new decryptors offer a fighting chance against ransomware operators.
In this week’s recap, we dive into the latest attack techniques, emerging vulnerabilities, and defensive strategies to keep you ahead of the curve. Stay informed, stay secure.
⚡ Threat of the Week
UNC3886 Targets End-of-Life Juniper Networks MX Series Routers — UNC3886, a China-nexus hacking group previously known for breaching edge devices and virtualization technologies, targeted end-of-life MX Series routers from Juniper Networks as part of a campaign designed to deploy six distinct TinyShell-based backdoors. Less than 10 organizations have been targeted as part of the campaign. “The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device,” Mandiant said. Further analysis by Juniper Networks has revealed that at least one security vulnerability (CVE-2025-21590) contributed to a successful attack that allowed the threat actors to bypass security protections and execute malicious code.
🔔 Top News
- Storm-1865 Uses ClickFix for Financial Fraud and Theft — A threat actor known as Storm-1865 has been observed leveraging the increasingly popular ClickFix strategy as part of a phishing campaign that uses Booking.com lures to direct users to credential-stealing malware. The campaign, ongoing since December 2024, casts a wide geographical net, spanning North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe.
- North Korea Targets Korean and English-Speaking Users with KoSpy — The North Korea-linked ScarCruft actor uploaded bogus Android apps to the Google Play Store by passing them off as seemingly innocuous utility apps that, when installed, unleashed a malware called KoSpy. It harbors features to collect SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The apps have since been removed from the app marketplace. The exact scale of the campaign remains unclear, although the earliest versions of the malware have been found as far back as March 2022.
- SideWinder Goes After Maritime and Logistics Companies — The advanced persistent threat (APT) group dubbed SideWinder has been linked to attacks targeting maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa using a modular post-exploitation toolkit called StealerBot to capture a wide range of sensitive information from compromised hosts. The attacks spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
- LockBit Developer Extradited to the U.S. to Face Charges — Rostislav Panev, a 51-year-old dual Russian and Israeli national, was extradited to the U.S. from Israel to face charges related to his alleged involvement as a developer of the LockBit ransomware group from 2019 to February 2024. He was arrested in August 2024, a few months after the operation’s online infrastructure was seized in a law enforcement exercise. Panev is said to have earned approximately $230,000 between June 2022 and February 2024.
- Malicious PyPI Packages Conduct Credential Theft — A collection of 20 packages uncovered on the Python Package Index (PyPI) repository masqueraded as time- and cloud-related utilities but contained hidden functionality to steal sensitive data such as cloud access tokens. The packages were collectively downloaded over 14,100 times before they were removed from the PyPI repository. Three of these packages, acloud-client, enumer-iam, and tcloud-python-test, has been listed as dependencies of a relatively popular GitHub project named accesskey_tools that has been forked 42 times and starred 519 times.
️🔥 Trending CVEs
Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 (Microsoft Windows), CVE-2025-24201 (Apple iOS, iPadOS, macOS Sequoia, Safari, and VisionOS), CVE-2025-25291, CVE-2025-25292 (ruby-saml), CVE-2025-27363 (FreeType), CVE-2024-12297 (Moxa PT switches), CVE-2025-27816 (Arctera InfoScale product), CVE-2025-24813 (Apache Tomcat), CVE-2025-27636 (Apache Camel), CVE-2025-27017 (Apache NiFi), CVE-2024-56336 (Siemens SINAMICS S200), CVE-2024-13871, CVE-2024-13872 (Bitdefender BOX v1), CVE-2025-20115 (Cisco IOS XR), CVE-2025-27593 (SICK DL100-2xxxxxxx), CVE-2025-27407 (graphql), CVE-2024-54085 (AMI), CVE-2025-27509 (Fleet), and CVE-2024-57040 (TP-Link TL-WR845N router).
📰 Around the Cyber World
- Google Pays $11.8 Million in 2024 Bug Bounty Program — Google paid almost $12 million in bug bounty rewards to 660 security researchers who reported security issues through the company’s Vulnerability Reward Program (VRP) in 2024. It also said it awarded more than $3.3 million to researchers who uncovered critical vulnerabilities within Android and Google mobile applications. Last but not least, the company said it received 185 bug reports related to its Artificial intelligence (AI) products, netting researchers over $140,000 in rewards.
- Security Flaws in ICONICS Suite Disclosed — Five high-severity security flaws have been disclosed in a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite – CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300 – that allows an authenticated attacker to execute arbitrary code, elevate privileges, and manipulate critical files. In a real world attack aimed at industrial systems, an adversary who has already gained access to the targeted organization’s systems could leverage the SCADA vulnerabilities to cause disruption and in some cases to take full control of a system. “In combination, these vulnerabilities pose a risk to the confidentiality, integrity and availability of a system,” Palo Alto Networks Unit 42 said.
- Threat Actors Intensify Abuse of Remote Access Tools — Threat actors like TA583, TA2725, and UAC-0050 are increasingly using legitimate remote monitoring and management (RMM) tools such as ScreenConnect, Fleetdeck, Atera, and Bluetrait as a first-stage payload in email campaigns. They can be used for data collection, financial theft, lateral movement, and to install follow-on malware including ransomware. The development coincides with a decrease in prominent loaders and botnets typically used by initial access brokers. “It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans,” Proofpoint said. “Additionally, such tooling may evade anti-virus or network detection because the installers are often signed, legitimate payloads distributed maliciously.”
- Decryptor for Linux Variant of Akira Ransomware Released — A decryptor has been released for the Linux/ESXI variant of Akira ransomware released in 2024 by utilizing GPU power to retrieve the decryption key and unlock files for free. It has been made available by researcher Yohanes Nugroho on GitHub.
- Volt Typhoon Hackers Dwelled in a U.S. Electric Company for Over 300 Days — Chinese hackers linked to the Volt Typhoon (aka Voltzite) campaign spent nearly one year inside the systems of a major utility company in Littleton, Massachusetts. According to a case study published by Dragos, Littleton Electric Light and Water Departments (LELWD) discovered its systems were breached before Thanksgiving in 2023. A subsequent investigation found evidence of lateral movement by the hackers and data exfiltration, but ultimately revealed that the “compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary.” The attackers are said to have gained access via a buggy Fortinet 300D firewall associated with a managed service provider (MSP). Dragos added: “The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations.” The existence of Volt Typhoon came to light in May 2023. While China has denied any involvement in the Volt Typhoon attacks, U.S. government agencies have said the threat actors are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
- Lazarus Group Drops LazarLoader Malware — The North Korea-linked Lazarus Group, which was most recently implicated in the record-breaking $1.5 billion cryptocurrency theft from Bybit, has been observed targeting South Korean web servers to install web shells and a downloader malware dubbed LazarLoader, which then is responsible for fetching an unspecified backdoor.
- YouTube Becomes Conduit for DCRat — A new wave of cyber attacks utilizing the Dark Crystal RAT (DCRat) backdoor has been targeting users since early 2025 through YouTube distribution channels. The attacks involve cybercriminals creating or compromising YouTube accounts to upload videos advertising gaming cheats, cracks, and bots that appeal to gamers looking for such tools, tricking them into clicking on booby-trapped links embedded in the video descriptions. “Besides backdoor capability, the trojan can load extra modules to boost its functionality,” Kaspersky said. “Throughout the backdoor’s existence [since 2018], we have obtained and analyzed 34 different plugins, the most dangerous functions of which are keystroke logging, webcam access, file grabbing and password exfiltration.” Telemetry data gathered by the Russian cybersecurity company shows that a majority of the DCRat samples were downloaded to the devices of users in Russia, and to a lesser extent among users from Belarus, Kazakhstan, and China.
- New Social Engineering Campaigns Aimed at Microsoft 356 Account Takeover — Proofpoint is warning of two ongoing, highly targeted campaigns that combine OAuth redirection mechanisms with brand impersonation techniques, malware proliferation, and Microsoft 365-themed credential phishing to facilitate account takeover (ATO) attacks. It said it discovered three malicious OAuth apps, disguised as Adobe Drive, Adobe Acrobat, and Docusign, which are used to redirect users to web pages hosting phishing and malware delivery threats. “To avoid detection solutions, the observed apps were assigned limited scopes (such as profile, email, openid,” it said.
- Wi-Fi Jamming Technique Enables Precision DoS Attack — New research has demonstrated a sophisticated Wi-Fi jamming technique that’s capable of disabling individual devices with millimeter-level precision by leveraging Reconfigurable Intelligent Surface (RIS) technology. “In particular, we propose a novel approach that allows for environment-adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks,” a group of academics from Ruhr University Bochum and Max Planck Institute for Security and Privacy said. “Using RIS-based environment-adaptive wireless channel control, allowing to maximize and minimize wireless signals on specific locations [27], the attacker gains spatial control over their wireless jamming signals. This opens the door to precise jamming signal delivery towards a target device, disrupting any legitimate signal reception, while leaving other, non-target devices, untouched.”
- Hash DoS Flaw in QUIC Implementations — Multiple Quick UDP Internet Connections (QUIC) protocol implementations have been found susceptible to a hash denial-of-service (DoS) attack. “By exploiting this vulnerability, an attacker is able to significantly slow down vulnerable servers,” NCC Group said. “This vulnerability allows attackers to stall the server by forcing it to spend the majority of its computing power inserting and looking up colliding connection IDs.”
- Exposed Jupyter Notebooks Become Cryptominer Targets — A new evasive campaign is targeting misconfigured Jupyter Notebooks installed on both Windows and Linus systems to deliver a cryptocurrency miner. The payloads take the form of MSI installers and ELF binaries that are designed to drop the miner that singles out Monero, Sumokoin, ArQma, Graft, Ravencoin, Wownero, Zephyr, Townforge, and YadaCoin. Cado Security, which detected the activity against its honeypot network, said it also observed a parallel campaign targeting servers running PHP to distribute the same miner. Furthermore, some of the intermediate artifacts used in the campaign have been observed in prior attacks targeting South Korean web servers as well as Ivanti Connect Secure (ICS) instances vulnerable to CVE-2023-46805 and CVE-2024-21887.
- ESP32 Chip Backdoor Claims Disputed — Espressif, the manufacturer of ESP32, a low-cost, low-power microcontroller with integrated Wi-Fi and dual-mode Bluetooth capabilities, has pushed back against claims of a backdoor in its products. Researchers at Tarlogic initially said they had found a “backdoor” in ESP32 that could “allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks, or medical equipment by bypassing code audit controls.” The research has since been updated to make it clear that it’s more of a “hidden functionality that can be used as a backdoor.” It also said that the commands could facilitate supply chain attacks or other stealthy compromises. In response to the disclosure, Espressif pointed out that the 29 undocumented commands in question are not accessible remotely, but noted it will provide a software fix to remove them from the code. “The functionality found are debug commands included for testing purposes,” it added. “These debug commands are part of Espressif’s implementation of the HCI (Host Controller Interface) protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers.” ESP32-C, ESP32-S and ESP32-H series chips are not impacted by the issue, which is now tracked as CVE-2025-27840 (CVSS score: 6.8).
- Switzerland Makes it Mandatory to Disclose Critical Infra Attacks — The National Cyber Security Centre (NCSC) of Switzerland has announced that critical infrastructure organizations will be required to report cyberattacks to the NCSC within 24 hours of discovery starting April 1, 2025. “Examples of when a cyberattack must be reported include when it threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information, or involves blackmail, threats or coercion,” the NCSC said. “Critical infrastructure operators who fail to report a cyberattack may be fined.”
- Bugs in Microsoft’s Time Travel Debugging (TTD) Framework — Google-owned Mandiant has detailed its security analysis of the Time Travel Debugging (TTD) framework, a record-and-replay debugging tool for Windows user-mode applications. Given that TTD leans on CPU instruction emulation to reproduce issues, “subtle inaccuracies” in the process could have serious consequences, potentially allowing critical security flaws to slip undetected. Even worse, it could be deliberately abused by attackers to bypass analysis. The four identified issues have been addressed in TTD version 1.11.410. “The observed discrepancies, while subtle, underscore a broader security concern: even minor deviations in emulation behavior can misrepresent the true execution of code, potentially masking vulnerabilities or misleading forensic investigations,” Mandiant said.
- NIST Chooses HQC as Fifth Post-Quantum Crypto Algorithm — The U.S. National Institute of Standards and Technology (NIST) has selected HQC (short for Hamming Quasi-Cyclic) as backup algorithm as a “second line of defense” against the threat posed by a future quantum computer. “The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM,” NIST said. “Both these algorithms are designed to protect stored information as well as data that travels across public networks.” According to Dustin Moody, who heads NIST’s Post-Quantum Cryptography project, HQC is not intended to replace ML-KEM.
- Going from BYOVD to BYOTB to BYOVE — Bring Your Own Vulnerable Driver (BYOVD) is a known attack technique that involves a threat actor using a legitimate but vulnerable driver — that’s either already pre-installed on the host or introduced to a target environment — with the goal of gaining elevated privileges and perform malicious actions, such as disabling security software. This approach has been adopted by various threat actors such as BlackByte, Kasseika, RansomHub (Water Bakunawa), and Lazarus Group. But new research published in recent weeks has shown that the technique can be exploited in conjunction with symbolic links (aka symlinks) to exploit a broader set of drivers. “With the new attack method that combines the file writing functionality of drivers and Windows Symbolic Links, attackers are relieved from the restriction of needing to find vulnerable drivers that are not yet on the blocklist to exploit,” Zero Salarium researcher Nicky Thompson said. “Instead, they only need to identify any driver that has file writing capabilities, such as logging, tracing, etc. Merging with the abuse of symbolic links, BYOVD technique will evolve to a new level.” The approach can be further extended to what’s called a Bring Your Own Trusted Binary (BYOTB), which involves using legitimate binaries (e.g., cloudflared) in an adversarial manner, and Bring Your Own Vulnerable Enclave (BYOVE), which makes use of vulnerable versions of legitimate enclaves to run malicious code without attracting attention — a memory evasion technique codenamed Mirage. While enclave modules have to be signed with a Microsoft-issued certificate to load, a threat actor could rely on an operating system flaw (CVE-2024-49706) to load an unsigned module into an enclave, obtain access to a Trusted Signing entity and sign their own enclaves, or even abuse debuggable and vulnerable enclaves (e.g., CVE-2023-36880) to read and write arbitrary data inside the enclave. “This could be useful in many scenarios — by storing payloads out of the reach of EDRs, sealing encryption keys hidden away from analysts, or keeping sensitive malware configuration out of memory dumps,” Akamai researcher Ori David said. Another technique to blind security solutions involves a new path masquerading approach that employs “whitespace” characters in Unicode to spoof the execution path of any program to resemble that of an antivirus.
🎥 Cybersecurity Webinars
- Learn How to Eliminate Identity-Based Threats — Despite massive security investments, identity-based attacks like phishing and MFA bypass continue to thrive. Traditional methods accept breaches as inevitable—but what if you could eliminate these threats altogether? Join this webinar to discover secure-by-design access solutions featuring phishing resistance, device compliance, and adaptive authentication—shifting your strategy from breach response to proactive prevention.
- Discover AI-Driven Threats and Zero Trust Defense Before It’s Too Late — Artificial Intelligence (AI) is reshaping cybersecurity, amplifying threats, and outsmarting traditional defenses. Join Diana Shtil from Zscaler to learn practical, proactive strategies—including Zero Trust—to protect your organization against evolving AI-driven attacks.
- Your AI is Outpacing Your Security: Here’s How to Keep Up — Hidden AI tools are quietly spreading across your environment, bypassing security controls until they become a real threat. Join Dvir Sasson, Director of Security Research at Reco, to uncover stealthy AI risks in your SaaS apps, real-world AI attack scenarios, and practical strategies to detect and respond effectively. Reserve your spot now to stay ahead of AI threats.
🔧 Cybersecurity Tools
- CVE Prioritizer — An advanced vulnerability assessment tool designed to streamline your patch management by intelligently combining CVSS scores, EPSS predictive insights, CISA’s Known Exploited Vulnerabilities (KEV), and VulnCheck’s enriched community data (NVD++, KEV). Traditional CVSS scores reflect vulnerability severity, but adding EPSS helps pinpoint those most likely to be actively exploited. By integrating CISA KEV, the tool emphasizes vulnerabilities currently leveraged in real-world attacks. This combined approach categorizes CVEs into clear priority levels, enabling security teams to efficiently allocate resources, effectively manage risk, and strategically remediate the vulnerabilities that truly matter most.
- Fleet — An open-source security and IT platform helping teams at companies like Fastly and Gusto manage thousands of devices easily. It simplifies vulnerability tracking, device health monitoring, security policies, and license management across macOS, Windows, Linux, cloud platforms, and IoT. Fleet is modular, and lightweight, integrates smoothly with popular tools, and offers a free, flexible solution tailored to your needs.
- ZeroProbe — A specialized enumeration and exploit-development toolkit for security researchers, penetration testers, and red teamers. It provides precise detection of kernel exploits, DLL hijacking, privilege escalation opportunities, weak file permissions, and suspicious memory regions. Leveraging direct syscall execution, memory analysis, and syscall hooking detection, ZeroProbe enables stealthy, forensic-friendly security assessments on Windows 10, 11, and Server 2019, compatible across PowerShell versions.
🔒 Tip of the Week
Detecting Threat Actors Early with Sysmon and Event ID 4688 — Attackers rely heavily on running unusual or malicious processes—such as encoded PowerShell commands, uncommon scripts, or tools like certutil.exe or rundll32.exe—to escalate privileges and evade detection. Deploying Microsoft Sysmon combined with built-in Windows Event ID 4688 (Process Creation) auditing helps capture these actions early, significantly reducing the risk of compromise. Sysmon provides detailed logs on process activities, file creation, and network connections, enabling defenders to spot anomalies quickly.
For practical implementation, install Sysmon with a trusted, community-driven configuration (like SwiftOnSecurity’s config), and enable Windows process auditing through group policies or the command line. Then, automate detection and alerting using free SIEM solutions like Elastic Stack (ELK) or Graylog, easily integrating Sysmon and Windows logs for real-time visibility and rapid threat response.
Conclusion
Cyber threats aren’t just evolving—they’re adapting to security controls, exploiting human behavior, and weaponizing legitimate technologies. This week’s developments highlight a critical reality: outdated infrastructure isn’t just a liability, it’s an invitation. Trusting signed software blindly? That’s a risk. Assuming major platforms are inherently secure? That’s an oversight.
Threat actors are shifting tactics faster than many defenses can keep up. They’re embedding malware in everyday tools, leveraging phishing beyond mere credential theft, and manipulating vulnerabilities that most organizations overlook. The lesson? Security isn’t about reacting to the breach—it’s about anticipating the next move.
As defenders, our edge isn’t just in patching vulnerabilities but in understanding the mindset of attackers. Every breach, every exploit, and every overlooked detail is a signal: the threat landscape doesn’t wait, and neither should our response. Stay proactive, stay skeptical, and stay ahead.
