Russia’s Sandworm APT targets critical infrastructure in Ukraine
The Ukrainian Government's Computer Emergency Response Team (CERT-UA) discovered a malicious campaign targeting the information and communication systems (ICS) of nearly 20 energy, water, and heating supply companies across 10 Ukrainian regions. The campaign, ongoing since early 2024, was attributed to the threat actor UAC-0212, a subgroup of the infamous UAC-0002 (Sandworm, APT44). By mid-2024, the group adopted new tactics, including sending malicious PDFs with links that exploited a security vulnerability (CVE-2024-38213), downloading malicious files, and executing PowerShell commands. The malware used in the attacks included tools like Secondbest, Empirepast, Spark, and Crookbag, with RSYNC used for long-term document theft in some cases.
In addition, Ukrainian authorities have issued a warning that cybercriminals have been targeting notaries to gain unauthorized access to government databases. Since mid-January 2025, CERT-UA has been observing a resurgence in activity from the organized criminal group UAC-0173. On commission and for financial reward, the group has been conducting cyberattacks to establish covert remote access to notaries' computers, with the ultimate goal of making unauthorized alterations to state registries.
SentinelLabs has detected an ongoing campaign targeting Ukrainian government and military organizations, alongside Belarusian opposition activists. The campaign has been under preparation since July-August 2024 and became operational in November-December 2024, with the activity still ongoing. The researchers link this activity to the long-running Ghostwriter campaign, which has been active since at least 2016. The Ghostwriter campaign has been closely associated with Belarusian government espionage efforts and is most commonly attributed to threat actor groups like UNC1151 (Mandiant) or UAC-0057 (CERT-UA).
China-linked botnet targets Microsoft 365 accounts
A botnet linked to a threat actor believed to be from China has been targeting Microsoft 365 accounts with large-scale password spraying attacks, according to SecurityScorecard. The botnet, comprising over 130,000 compromised devices, exploits Basic Authentication, which bypasses Multi-Factor Authentication (MFA) in many setups, allowing attackers to attempt password spraying undetected. The attacks use stolen credentials from information-stealer malware and are coordinated through multiple command-and-control servers in the United States.
In a separate incident, the Chinese-backed hacking group Silver Fox has been targeting vulnerable Philips Digital Imaging and Communications in Medicine (DICOM) software. DICOM software, commonly used in healthcare facilities for medical imaging, was exploited by Silver Fox to deploy various malicious payloads, including a backdoor, keylogger, and crypto miner. The attackers likely used SEO poisoning or phishing campaigns to breach systems. Forescout identified 29 distinct malware samples disguised as legitimate Philips DICOM viewers, which were used to deploy the ValleyRAT backdoor. This Remote Access Trojan (RAT), also known as Winos 4.0, grants attackers full control over infected machines, allowing them to steal sensitive data, install additional malicious software, and potentially infiltrate hospital networks.
According to the latest Palo Alto Networks’s Unit42 report, a suspected Chinese threat actor, tracked as CL-STA-0049, has been targeting global organizations, particularly in Southeast Asia and South America, including governments, defense, telecommunications, education, and aviation sectors since March 2023. The threat actor has been gathering sensitive data, including information on high-ranking officials. The group employs a sophisticated backdoor called Squidoor (also known as FinalDraft), which affects both Windows and Linux systems. The attack strategy includes exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of web shells on compromised servers to maintain persistent access and control.
North Korean Lazarus officially linked to $1.5B Bybit heist
The FBI confirmed that North Korea’s Lazarus Group was responsible for a $1.5 billion heist involving the cryptocurrency exchange Bybit. The hackers intercepted a scheduled transfer of funds from Bybit's cold wallet to a hot wallet, redirecting the cryptocurrency to an address they controlled. The attack was traced back to a compromised developer machine within the Safe{Wallet} multisig wallet platform.
Bybit's CEO, Ben Zhou, revealed that the attack started through the injection of malicious JavaScript into Safe{Wallet}'s infrastructure. The code was designed to activate under specific conditions, allowing it to evade detection by typical security measures. Investigations by Sygnia and Verichains concluded that the hack was linked to Lazarus Group, with Verichains identifying that the malicious code was tailored to bypass defenses and was launched from a compromised AWS S3 bucket, which enabled the hackers to reroute Bybit’s assets to their own wallet.
It’s worth noting that the European Union has imposed new sanctions on individuals and entities supporting Russia's war against Ukraine, including Russian companies, nationals, and North Korean official Lee Chang Ho. Lee, a high-ranking North Korean military figure and head of the Reconnaissance General Bureau (RGB), is accused of playing a significant role in cyberattacks and coordinating North Korean forces in Ukraine.
Microsoft exposes developers behind the Storm-2139 group
Microsoft has named the developers behind illicit AI tools used to create celebrity deepfakes and other harmful content. In a legal filing, the company revealed that four foreign and two US developers unlawfully accessed generative AI services, including Microsoft's Azure OpenAI services, and reconfigured them to produce sexually explicit, non-consensual images of celebrities. These tools were then resold.
The developers are part of a global cybercrime group tracked by Microsoft as Storm-2139. The US-based individuals are from Illinois and Florida, though their identities have been withheld due to ongoing investigations. The foreign developers include individuals from Iran, the UK, Hong Kong, and Vietnam. Microsoft is preparing criminal referrals to law enforcement, and the court has issued a restraining order allowing Microsoft to seize a related website. Storm-2139 gained access through exploited customer credentials found in public sources, Microsoft said.
Lotus Blossom espionage group targets multiple industries with Sagerunex backdoor
Cisco Talos uncovered several cyber espionage campaigns targeting sectors such as government, manufacturing, telecommunications, and media. These campaigns delivered the Sagerunex backdoor and other hacking tools for post-compromise activities. Talos attributes these attacks to the Lotus Blossom threat group, which has been active in cyber espionage since at least 2012.
The group has used specific commands to ensure persistence, installing the Sagerunex backdoor in the system registry and configuring it to run as a service on compromised devices. Additionally, Lotus Blossom has developed new variants of Sagerunex that employ both traditional command and control (C2) servers and legitimate third-party cloud services, such as Dropbox, Twitter, and Zimbra, to act as C2 tunnels for their operations.
A new PolarEdge botnet infected 2K+ devices over past two years
A new botnet, named PolarEdge, has been discovered infecting over 2,000 devices across the globe over the past two years. First observed by French security firm Sekoia, the botnet has been active since at least the end of 2023, targeting edge devices such as routers and NAS devices. The botnet’s attack strategy involves the exploitation of the CVE-2023-20118 vulnerability, which affects several Cisco Small Business Routers (RV016, RV042, RV042G, RV082, RV320, RV325). The botnet had infected devices across the globe, with the United States being the most affected, followed by countries in Asia and South America. The investigation suggests that the PolarEdge botnet is leveraging compromised devices as "Operational Relay Boxes" for potential offensive cyberattacks.
On the same note, Chinese security company QiAnXin (QAX) discovered nearly 90 new samples of the Vo1d Android malware, which has been active in a botnet of about 800,000 unique IPs daily, peaking at nearly 1.6 million on January 14, 2025. The Vo1d botnet primarily facilitates anonymous proxy services and ad/click fraud, with a significant portion of infected devices in Brazil (24%), followed by South Africa (13%) and Indonesia (10%). The malware is believed to spread via supply chain attacks or users installing malicious apps. Researchers also identified connections to another botnet, Bigpanzi, which also targets Android TV devices.
Also, cybersecurity researchers have spotted an updated version of the Android malware, TgToxic (also known as ToxicPanda), designed to steal user credentials, cryptocurrency, and funds from banking and finance apps. Intel 471's analysis revealed that the malware is distributed via dropper APK files, likely through SMS or phishing websites, although the exact delivery method is unclear. Key improvements include enhanced emulator detection and updates to the command-and-control (C2) URL generation. The malware now uses forums like the Atlassian community to create fake profiles with encrypted strings pointing to the true C2 server, replacing the previous use of hard-coded C2 domains.
New Auto-Color Linux backdoor targets universities and gov’t offices in North America and Asia
A previously undocumented Linux backdoor, dubbed ‘Auto-Color’ by Palo Alto Networks' Unit 42 researchers, was discovered in attacks targeting universities and government organizations across North America and Asia. Auto-Color can maintain access over extended periods. It is also highly evasive, making detection challenging for traditional security mechanisms.
A widespread phishing campaign uses fake CAPTCHA images to deliver the Lumma info-stealer
Netskope Threat Labs uncovered a widespread phishing campaign that uses fake CAPTCHA images hosted on Webflow CDN to deceive victims searching for PDF documents online. These malicious PDFs lead to phishing sites that steal personal and credit card information. The campaign spans 260 unique domains and nearly 5,000 phishing PDFs, primarily targeting North America, Asia, and Southern Europe, affecting over 1,150 organizations and 7,000 users. Some PDFs also execute malicious PowerShell commands, distributing Lumma Stealer malware. The technology, financial services, and manufacturing sectors were most affected.
Suspected Desorden hacker behind 90+ data breaches arrested in Thailand
A suspected cybercriminal, believed to be behind the "DESORDEN Group" and "ALTDOS" operations, was arrested in Thailand for leaking stolen data from over 90 organizations worldwide. The arrest was the result of a joint operation by the Royal Thai Police, Singapore Police Force. The hacker, active since 2020 under aliases like ALTDOS, DESORDEN, GHOSTR, and 0mid16B, stole and leaked over 13TB of personal data, primarily targeting companies in the Asia-Pacific region, but also affecting organizations in Europe and North America.
The cybercriminal focused on blackmail, often contacting the press, emailing victims’ customers, and occasionally encrypting compromised databases. The hacker leveraged SQL injection and Remote Desktop Protocol (RDP) to gain access to networks and deploy malicious tools like CobaltStrike. During the raid, Thai authorities confiscated laptops and luxury goods believed to have been purchased with proceeds from the cybercrimes.
In other news, founder and CEO of the cryptocurrency financial services firm Gotbit Aleksei Andriunin, a Russian national, has been extradited from Portugal to the United States to face charges of market manipulation and fraud conspiracy. Andriunin was arrested on October 8, 2024, and arrived in the US on February 25, 2025. In October 2024, a grand jury indicted Andriunin, Gotbit, and two of its directors, Fedor Kedrov and Qawi Jalili, on charges of wire fraud and conspiracy to commit market manipulation. The indictment accuses Gotbit of using market manipulation techniques, including “wash trading,” to artificially inflate cryptocurrency trading volumes. These tactics, allegedly used from 2018 to 2024, helped clients, including US-based companies, gain visibility and listings on prominent platforms like CoinMarketCap and major cryptocurrency exchanges.
Andriunin reportedly developed a code for wash trading and marketed the method to clients, facilitating millions of dollars in fraudulent transactions. Gotbit is accused of earning tens of millions of dollars from these activities, with Andriunin allegedly funneling some of the proceeds into his personal Binance account.
If convicted, Andriunin faces up to 20 years in prison for wire fraud and up to five years for conspiracy to manipulate the market, along with substantial fines, restitution, and potential forfeiture of assets.
A recent international law enforcement operation led to the arrest of 24 individuals involved in a criminal network distributing AI-generated child sex abuse images. The operation, one of the first of its kind, was coordinated by Europol and saw authorities from 19 countries, including Australia, Spain, and the UK, participate. The main suspect, a Danish national, ran an online platform where users paid a small fee to access the illicit material. More arrests are anticipated in the coming weeks as the investigation continues.
Australia bans Kaspersky software across government agencies over security risks
Australia has become the latest country to take action against the use of Kaspersky software, issuing a nationwide ban on its installation across government agencies. The directive mandates that all government entities cease the use of Kaspersky Lab products and services. The ban follows a comprehensive threat and risk assessment, which concluded that Kaspersky products posed an unacceptable security risk to Australian government networks and data. According to officials, the decision was based on the potential for foreign interference, espionage, and sabotage.
