Microsoft has released critical security updates addressing over 130 vulnerabilities in its April 2025 Patch Tuesday, including a zero-day flaw tracked as CVE-2025-29824. The vulnerability, found in the Windows Common Log File System (CLFS) driver, allows local attackers to escalate privileges to SYSTEM level, granting full control of affected systems. The flaw is being actively exploited in targeted attacks linked to the Storm-2460 threat group, known for using the PipeMagic malware in ransomware campaigns. Affected industries include IT and real estate in the US, finance in Venezuela, software in Spain, and retail in Saudi Arabia.
A critical zero-day vulnerability in Gladinet CentreStack’s enterprise file-sharing software has been actively exploited by hackers since March 2025, potentially exposing thousands of businesses to remote code execution attacks. The flaw, tracked as CVE-2025-30406, affects CentreStack versions up to 16.1.10296.56315 and stems from a hardcoded machineKey in the web application’s configuration file. This key secures ASP.NET ViewState data, and if known, allows attackers to forge trusted data payloads. This could let threat actors inject malicious serialized objects and gain remote code execution on vulnerable servers.
Cybersecurity firm Huntress has provided new insights into the post-exploitation activities observed in attacks leveraging the recently disclosed vulnerability in enterprise file transfer solution CrushFTP. The vulnerability, now tracked as CVE-2025-31161, allows attackers to bypass authentication and gain unauthorized access to targeted systems. Huntress observed multiple attacks that targeted four companies, three of which were hosted by the same Managed Service Provider (MSP). The organizations spanned various industries, including marketing, retail, and semiconductor sectors. According to the firm, the attackers were particularly focused on setting up mechanisms for long-term control over the compromised systems.
A recent targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to access EC2 Metadata, specifically through the IMDSv1 endpoint. This allowed attackers to retrieve IAM credentials, enabling them to escalate privileges and potentially gain control over AWS services like S3, leading to data exposure and service disruption. The activity, discovered by F5 Labs, occurred between March 13 and 25, 2025, and is believed to be the work of a single threat actor.
Palo Alto Network Unit 42 researchers have observed a rise in QR code phishing attacks, or ‘quishing,’ where attackers embed malicious URLs in QR codes within phishing documents. New tactics include using legitimate website redirection to hide phishing destinations and employing Cloudflare Turnstile to bypass security checks and appear more legitimate. Some attacks are tailored to specific victims, indicating pre-attack reconnaissance. The campaigns have spread across the US and Europe, targeting industries such as healthcare, automotive, education, energy, and finance.
SentinelLabs has uncovered a new spam framework called AkiraBot, designed to mass-target website chat systems and contact forms to promote a low-quality SEO service. Since September 2024, AkiraBot is believed to have targeted over 400,000 websites, successfully spamming at least 80,000. What sets AkiraBot apart is its sophisticated, modular design—far more advanced than typical spam tools. It leverages OpenAI to generate tailored outreach messages based on each website's content and employs multiple CAPTCHA bypasses and network evasion techniques to avoid detection.
The ReversingLabs (RL) research team has discovered a malicious npm package named pdf-to-office, which was uploaded on April 1, 2025. Disguised as a tool for converting PDFs to Microsoft Office documents, the package secretly injected malicious code into popular local crypto wallet applications like Atomic Wallet and Exodus. This code altered legitimate files, enabling it to hijack cryptocurrency transfers by replacing the intended recipient's wallet address with one controlled by the attacker.
The Russia-sponsored cyber-espionage group Shuckworm (aka Gamaredon) launched a campaign targeting the military mission of a Western country based in Ukraine. The operation began in February and extended into March, using an infected removable drive as the initial infection vector. Shuckworm employed an updated PowerShell version of its GammaSteel malware, an infostealer designed to extract sensitive data. For exfiltration, the group utilized multiple methods, including the write.as web service and cURL over Tor as a backup channel. In this particular attack the group appears to have used an infected removable drive as an entry point.
Ukraine’s Cyber Emergency Response Team (CERT-UA) said it has been observing a cyber espionage campaign by UAC-0226, targeting the country’s innovation centers, particularly in the military sector, and key government and law enforcement agencies. The attacks are focused mainly on organizations near Ukraine's eastern border, highlighting a strategic effort to compromise sensitive national security infrastructure.
The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated phishing campaign targeting government and military organizations across Europe. The campaign is attributed to a suspected Russia-based espionage group known as UNC5837. The attackers employed a novel technique using signed Remote Desktop Protocol (RDP) file attachments to establish covert connections to the victims' systems. The attackers used RDP’s features, such as resource redirection and RemoteApps, to establish a more persistent and subtle foothold within compromised systems. This allowed the intruders to map the victim's file systems to their own servers and even present attacker-controlled applications to the user.
Hackers infiltrated the private emails of at least 103 US bank regulators for over a year, accessing sensitive financial information. The breach targeted the Office of the Comptroller of the Currency (OCC) and was discovered in February 2025 after Microsoft flagged suspicious network activity. By compromising an administrator’s account, the attackers were able to monitor around 150,000 emails from May 2023 to early 2025, including messages from senior officials containing critical data about the financial stability of regulated institutions.
Western intelligence agencies released a joint advisory detailing two spyware tools disguised as mobile phone applications intended to surveil Taiwanese independence activists, Tibetan rights advocates and civil society groups and individuals whose activities are seen as opposition to China's state interests.
Newly registered domains are being used to distribute the SpyNote Android remote access trojan (RAT). The websites imitate the Google Chrome install page on the Google Play Store to trick users into downloading the malware. SpyNote enables surveillance, data theft, and remote control of infected devices. Some websites featured Chinese-language content and code comments, suggesting links to Chinese-speaking threat actors.
Massachusetts-based manufacturer Sensata Technologies experienced a ransomware attack, that disrupted key operations across its global sites. The company reported the incident to the US Securities and Exchange Commission (SEC), stating that it had to take its network offline, affecting shipping, receiving, manufacturing, and other support functions. Law enforcement has been contacted, and while some interim measures are in place, a full recovery timeline remains uncertain.
Researchers from cybersecurity firm Expel have uncovered a new tactic used by Moroccan cybercrime group Atlas Lion, which is targeting large retailers, apparel companies, and restaurants. The group uses stolen credentials to enroll its own virtual machines (VMs) into victims’ cloud environments, allowing them to blend into the organization’s network infrastructure undetected.
EncryptHub (also known as Larva-208 and SkorikARI) is a threat actor believed to be a Ukrainian national involved in cybercrime, according to research by Outpost24. Despite his criminal activities, he has also sought legitimate employment and was recently acknowledged by Microsoft for responsibly disclosing two vulnerabilities. Researchers were able to trace his activities over the years due to poor operational security, though his identity remains undisclosed.
An unnamed actor has leaked a treasure trove of internal data from Media Land, one of the largest bulletproof web hosting providers. The leaked files contain sensitive details about the company’s past customers, the services they contracted, and the kinds of data hosted on its servers. Media Land, a Russia-registered company operating for over a decade, has been known for providing secure hosting solutions that have been used by cybercriminals worldwide. The leaked documents, some as recent as February 2025, provide evidence of the platform's involvement in hosting various illicit operations, including malware command and control servers, ransomware infrastructure, phishing kits, data exfiltration servers, and even systems used for malicious code-signing.
A large-scale phishing campaign, dubbed PoisonSeed, has been compromising corporate email marketing accounts to distribute emails that contain crypto wallet seed phrases used to drain cryptocurrency funds. According to cybersecurity researchers at SilentPush, the campaign targets popular cryptocurrency platforms like Coinbase and Ledger, using compromised accounts at major email marketing services such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. The attackers exploit the legitimate platforms to send phishing emails to unsuspecting users.
A China-based cybercriminal group, known as The Smishing Triad, has been linked to a rise in smishing campaigns that are targeting consumers in the US and UK. The campaigns involve fraudulent text messages impersonating legitimate tolling services, such as FasTrak, E-ZPass, and I-Pass, demanding payment for supposed unpaid tolls or requesting sensitive personal information.
ClearSky’s team uncovered a persistent Yemeni/Houthi influence campaign targeting Israel and Gulf states, originally exposed in 2019. From 2019 to 2022, the campaign focused mainly on Saudi Arabia and the UAE, with renewed activity aimed at Israel starting in late 2024. No evidence suggests Israeli targeting during the earlier period. The campaign spreads content via fake profiles in open Facebook groups to maximize reach and appear native to local audiences. Many of the domains used since 2019 remain active. While there’s no indication of malware or watering hole attacks, the intent behind the campaign is still unclear. Websites used in the campaign feature Hebrew and Arabic content, though the main site lacks credibility and does not convincingly appear Israeli.
Following Operation Endgame, a major botnet takedown in May 2024 that dismantled several major malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee, law enforcement across North America and Europe launched a coordinated crackdown. This led to arrests, house searches, and other legal actions targeting users of the Smokeloader botnet, operated by a cybercriminal known as 'Superstar.' Through a pay-per-install service, Superstar sold access to infected machines, which customers used for activities like keylogging, webcam spying, ransomware attacks, cryptomining, and more.
Romanian authorities, with support from French and British counterparts, dismantled a criminal group involved in a major online fraud operation. The group recruited hundreds of money mules to launder at least EUR 3 million, primarily obtained through fake business emails. Preventive measures have been taken against 13 suspects in Romania and 7 suspects in the UK were arrested.
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to several charges tied to his role in the infamous cybercrime group Scattered Spider. Known online as “Sosa” and “Elijah,” Urban was arrested in January 2024. The group is linked to major ransomware attacks targeting large corporations. In November 2024, authorities unsealed the full list of charges against Urban and four other alleged members of the cybercrime ring.
A pharmacist at the University of Maryland Medical Center (UMMC) is facing a class-action lawsuit over allegations of a prolonged cyber-voyeurism scheme. The lawsuit claims he secretly accessed hundreds of hospital computers to activate webcams and spy on young female doctors and medical residents during private moments, including undressing, breastfeeding, and intimate acts. He is also accused of installing spyware to steal personal passwords and gain control of the victims' home networks.
