On April 3, 2025, Ivanti warned of a critical security vulnerability, tracked as CVE-2025-22457, in Ivanti Connect Secure (ICS) VPN appliances, specifically affecting versions 22.7R2.5 and earlier. The vulnerability is a buffer overflow that could lead to remote code execution.
Google-owned Mandiant and Ivanti reported active exploitation of this vulnerability in the wild, targeting ICS versions 9.X (end of life) and 22.7R2.5. First signs of exploitation were observed in mid-March 2025. Attacks involved two new malware families: TRAILBLAZE, an in-memory dropper, and BRUSHFIRE, a passive backdoor. Additionally, malware from the SPAWN ecosystem, attributed to the UNC5221 group (a suspected China-based espionage actor), was also observed.
Also, this week the US Cybersecurity and Infrastructure Security Agency (CISA) has released a warning about a newly discovered malware variant called RESURGE. It is being used to exploit a recently patched security vulnerability (CVE-2025-0282) in Ivanti Connect Secure (ICS) appliances. RESURGE shares similarities with the SPAWNCHIMERA malware, but with notable differences. It has multiple capabilities, including rootkit, dropper, backdoor, bootkit, proxy, and tunneler functions. It can also survive system reboots.
Apple rolled out a new round of security updates for its desktop and mobile devices, addressing multiple vulnerabilities, including two unpatched zero-day flaws affecting older iPhones. The key update targets a critical WebKit vulnerability (CVE-2025-24201), an out-of-bounds write issue that could allow attackers to execute arbitrary code by exploiting malicious web content. Initially patched in iOS 18.3.2, iPadOS 18.3.2, and Safari 18.3.1 on March 11, this fix now applies to older devices running iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, and iPadOS 15.8.4. Apple confirmed that this WebKit flaw had been exploited in targeted attacks, especially on versions prior to iOS 17.2.
Taiwanese network equipment manufacturer DreyTek released a statement regarding recent reports about certain routers unexpectedly disconnecting from the Internet, causing intermittent connection drops. The issue mainly affects older models or devices running outdated firmware versions, the company explained.
The investigation revealed that the routers were targeted by malicious TCP connection attempts from malicious IP addresses, which could cause a reboot in unpatched devices if SSL VPN or Remote Management was enabled without proper access control. Devices with firmware updates from around 2020 have been patched, and this is the first confirmed case of this exploit in the wild. The problem primarily impacts older models that have not been updated for several years.
New Microsoft’s report details phishing campaigns exploiting tax-related themes to steal credentials and deploy malware. The attacks use redirection techniques such as URL shorteners and QR codes in malicious attachments, along with legitimate services like file-hosting platforms and business profiles to evade detection. The phishing pages are delivered through the RaccoonO365 PhaaS platform, and the malware involved includes remote access trojans (RATs) like Remcos, as well as other threats like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.
CISA and partners have urged organizations, ISPs, and security firms to strengthen defenses against so-called ‘fast flux’ attacks used by malicious cyber actors to hide the locations of malicious servers by constantly altering Domain Name System (DNS) records. The technique allows to create robust and highly available command and control (C2) infrastructure, which helps to mask the ongoing malicious activities.
The Ukrainian Government's Computer Emergency Response Team (CERT-UA) has issued an alert regarding a series of cyberattacks targeting critical government agencies and infrastructure to collect and steal sensitive information from compromised systems using an information stealer called ‘WRECKSTEEL.’ The malware, written in VBScript and PowerShell, is designed specifically for file exfiltration and espionage purposes.
The Cisco Talos threat intelligence team has reported an ongoing cyber campaign targeting users in Ukraine, active since at least November 2024. The campaign uses malicious LNK files that run a PowerShell downloader, which installs the Remcos backdoor. It is believed to be linked to the Gamaredon threat actor, a Russian cyber espionage group that has been targeting Ukrainian organizations since 2013. The LNK files are disguised as legitimate files with Russian military-related terms to trick victims into opening them, often delivered via phishing emails.
Trend Micro released the 2 part of its technical deep dive into activities and infrastructure of a Russia-affiliated state-sponsored threat actor it tracks as Water Gamayun. The group has been observed abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
Another Trend Micro’s report is focused on tactics and techniques used by a China-linked cyberespionage outfit known as Earth Alux. Threat actor’s modus operandi involves exploiting vulnerabilities in exposed servers to gain initial access. Once inside, the group deploys web shells such as GODZILLA, which serve for loading various backdoors, including Earth Alux’s primary backdoor VARGEIT and the COBEACON malware. VARGEIT is typically used as a secondary backdoor after COBEACON establishes the initial foothold.
A new report from the Google Threat Intelligence Group (GTIG) highlights the growing scope and sophistication of North Korean (DPRK) IT worker schemes. Posing as legitimate remote workers, malicious actors infiltrate organizations to generate revenue for the North Korean regime while engaging in espionage and data theft. The report notes an increase in DPRK IT activities in Europe, alongside the US, which employ new tactics, such as aggressive extortion campaigns and compromises of corporate virtualized infrastructure.
North Korean Lazarus threat actors behind the Contagious Interview campaign have adopted the ClickFix social engineering tactic to target job seekers in the cryptocurrency sector. The campaign delivers a previously unknown Go-based backdoor called ‘GolangGhost’, on Windows and macOS systems. The new phase of this activity, dubbed ClickFake Interview by Sekoia, is considered a continuation of the campaign. Contagious Interview, also referred to as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, has been active since at least December 2022 but was publicly documented for the first time in late 2023.
Additionally, AhnLab SEcurity intelligence Center (ASEC) discovered a suspected Lazarus campaign that spreads BeaverTail and Tropidoor malware through fake recruitment emails.
Security researchers have warned of a notable increase in suspicious login scanning activity aimed at Palo Alto Networks’ PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses identified attempting to access the portals.
A multi-layered supply chain attack initially aimed at Coinbase has been traced back to a theft of a personal access token (PAT) linked to SpotBugs, a popular open-source tool for static code analysis. The attackers exploited GitHub Actions in SpotBugs’ workflow, allowing them to move laterally between repositories, eventually gaining access to reviewdog. The malicious activity appears to have started in November 2024, with the attack on Coinbase occurring in March 2025.
An ongoing campaign is exploiting exposed PostgreSQL instances with weak credentials to deploy cryptocurrency miners, cloud security firm Wiz says. The attack, attributed to the threat actor JINX-0126, is a variant of an intrusion set first seen in August 2024 using the PG_MEM malware. Over 1,500 victims is estimated to have been compromised.
A report by the Tech Transparency Project has revealed that millions of Americans are using free VPN apps secretly owned by Chinese companies, including those linked to China’s military. One in five of the top 100 free VPN apps in the US App Store are owned by Chinese entities, with over 70 million downloads. These VPNs, designed to protect privacy, could compromise user security, as Chinese laws require companies to cooperate with state intelligence. Several of the apps are connected to Qihoo 360, a Chinese military-linked company, and many others are traced back to Chinese-owned firms in Hong Kong. None of the 20 Chinese-owned apps disclosed their ownership.
A new threat actor named ‘Coquettte’ has been uncovered using a bulletproof hosting provider (BPH) called Proton66 to deploy malware disguised as legitimate software. Researchers from DomainTools discovered this activity while examining malicious domains hosted on Proton66, a Russian provider known for enabling cybercrime by ignoring abuse complaints. The hacker's operations include malware distribution and the sale of illegal substance and weapon-making guides.
Prodaft researchers spotted a new phishing-as-a-service (PhaaS) platform called Lucid that targets 169 entities across 88 countries. Operated by a Chinese cybercriminal group known as XinXin, Lucid has been active since mid-2023 and is gaining traction due to its ability to send highly convincing phishing messages through iMessage (on iOS devices) and Rich Communication Services (RCS) (on Android devices).
Kidflix, one of the largest dark web platforms for sharing, hosting, and streaming child sexual abuse material (CSAM), was shut down following a coordinated international law enforcement operation. The operation led to 79 arrests, the identification of 1,393 suspects, and the seizure of over 3,000 electronic devices. Active from April 2022, Kidflix gained notoriety for hosting more than 72,000 videos, many of which were previously unknown to authorities. The platform, which had 1.8 million users worldwide at the time of its shutdown, facilitated transactions using cryptocurrency converted into platform-specific tokens for accessing, uploading, and verifying CSAM.
Aubrey Cottle, the alleged Anonymous founder, has been arrested in connection with a high-profile hacking incident targeting the Texas Republican Party and the Texas Right to Life anti-abortion group. Known online as "Kirtaner," Cottle allegedly infiltrated Epik, a hosting company for both organizations, gaining unauthorized access to their systems. This allowed him to deface the Texas Republican Party's website and download a backup containing sensitive personal information. He now faces multiple charges related to the data breach.
Some members of AustralianSuper, Australia's largest pension fund, have lost significant retirement savings in recent cyberattacks that may have exposed the personal data of thousands. The fund confirmed that criminals used stolen passwords from up to 600 members in an attempt to commit fraud. AustralianSuper said that memebers’ savings were secure, even if their accounts currently displayed a zero balance. A total of A$500,000 was reportedly stolen from four accounts.
