A critical zero-day vulnerability (CVE-2025-31324) has been discovered in SAP NetWeaver, potentially affecting over 10,000 SAP applications. The flaw stems from a missing authorization check in the Visual Composer Metadata Uploader component, allowing attackers to upload and execute malicious files. The vulnerability was uncovered by ReliaQuest during investigations into intrusions affecting systems with the latest SAP patches. The attacks exploited the flaw to upload JSP webshells, giving attackers full control of the system. This exploitation appears related to a similar vulnerability (CVE-2017-9844), which previously allowed denial-of-service and code execution.
A zero-day remote code execution vulnerability (CVE-2025-42599) in Active! Mail is being actively exploited in attacks targeting large organizations in Japan. The flaw, caused by a stack-based buffer overflow, affects all versions up to 'BuildInfo: 6.60.05008561' across supported operating systems. A maliciously crafted request could allow arbitrary code execution or cause a denial-of-service condition. Japan's CERT has confirmed active exploitation and urges all users to update to Active! Mail 6 BuildInfo: 6.60.06008562 immediately.
Cybersecurity researchers have flagged a new malware called DslogdRAT, which was installed after exploiting a recently patched vulnerability (CVE-2025-0282) in Ivanti Connect Secure (ICS). The flaw, which allowed unauthenticated remote code execution, was used by a China-linked cyber espionage group, UNC5337, to deploy the SPAWN malware ecosystem, along with other tools like DRYHOOK and PHASEJAM, in attacks targeting organizations in Japan around December 2024. Ivanti fixed the flaw in January 2025. Currently, it’s unclear whether DslogdRAT and the SPAWN campaign are connected.
Cybersecurity firm Volexity has detected an ongoing campaign orchestrated by Russian-linked threat actors exploiting Microsoft 365’s OAuth 2.0 authentication process to target individuals and organizations connected to Ukraine and human rights efforts. The campaign, active since early March 2025, involves convincing social engineering tactics and legitimate Microsoft infrastructure used to bypass traditional security measures. Two groups, tracked by Volexity as UTA0352 and UTA0355, are believed to be behind the campaigns. The attackers initiate contact through secure messaging platforms such as Signal and WhatsApp, often posing as European government officials or using compromised Ukrainian government accounts. Victims are lured into fake meetings or events under the guise of political discourse related to the Ukraine conflict.
Russian state-backed hackers carried out a sabotage attack on a public facility in the Netherlands last year, marking the first confirmed incident of its kind in the country, the Dutch Military Intelligence and Security Service (MIVD) revealed in its annual report. The MIVD did not specify which facility was targeted but said the hackers infiltrated its digital operating systems. While the attack did not cause any damage, the intelligence agency described it as a significant escalation in cyber threats.
North Korean Lazarus Group, a cybercrime unit under the Reconnaissance General Bureau, created two US-based businesses, Blocknovas and Softglide, in violation of Treasury sanctions, to infect cryptocurrency developers with malware, as per recent Silent Push investigation. The companies were set up using fake identities and addresses in New Mexico and New York, with a third linked business, Angeloper Agency, also involved. The FBI seized the Blocknovas domain as part of a law enforcement action. The attackers used AI-generated images and fake job postings to lure victims, distributing malware strains like BeaverTail, InvisibleFerret, and OtterCookie. They targeted cryptocurrency job applicants through platforms like GitHub and freelance websites.
The North Korean state-sponsored group Kimsuky has been observed leveraging a critical vulnerability in Microsoft Remote Desktop Services to gain unauthorized access to targeted systems. According to a report from the AhnLab Security Intelligence Center (ASEC), the campaign, dubbed ‘Larva-24005,’ involves the exploitation of CVE-2019-0708, a high-severity flaw commonly referred to as 'BlueKeep' patched by Microsoft in May 2019. In addition to the BlueKeep exploit, Kimsuky is also using phishing emails to deliver payloads that exploit another known vulnerability - CVE-2017-11882, a remote execution issue in Microsoft Office's Equation Editor.
Trend Micro released a report detailing activities of an advanced persistent threat (APT) group the company tracks as ‘Earth Kurma’, which has been actively targeting government and telecommunications organizations in Southeast Asia since November 2020. The group employs sophisticated malware, including custom rootkits like KRNRAT and MORIYA, to conduct cyberespionage. Its primary objective is data exfiltration, which the threat actor achieves using trusted cloud services such as Dropbox and OneDrive. Earth Kurma utilizes specialized tools like TESDAT and SIMPOBOXSPY to infiltrate networks and remain undetected while stealing sensitive information.
A cyber-espionage campaign linked to the China-based Billbug group (also known as Lotus Blossom, Lotus Panda, or Bronze Elgin) has targeted high-profile organizations in Southeast Asia between August 2024 and February 2025. The attackers used new tools, including ChromeKatz to extract credentials and cookies from Chrome, CredentialKatz to harvest stored credentials, and Zrok for internal service exposure. Additionally, the group employed DLL sideloading techniques, exploiting legitimate software from Trend Micro and Bitdefender to stealthily deploy malware.
Symantec reported a malware campaign leveraging Cloudflare tunnels to deploy AsyncRAT. The attack begins with a phishing email containing a malicious .ms-library file. Once opened, it downloads a PDF shortcut (LNK file) that triggers various scripts, including Python, .vbs, and .bat files. The scripts inject malicious payloads into notepad processes and download the final AsyncRAT payload, hidden in a base64-encoded .jpg image. The malware communicates with the command-and-control (C2) server via dynamic DNS domains and Cloudflare tunnels.
Another Symantec report details a campaign leveraging a modified version of the popular Android navigation app Alpine Quest laden with spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. The data is sent to a remote server and a Telegram bot controlled by the attackers with location details being updated every time the user moves. The attackers seem particularly focused on documents shared through messaging apps like Telegram and WhatsApp.
The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have rolled out new updates to their cybercrime toolkit, now incorporating generative artificial intelligence (GenAI) features.
Cyber threat intelligence analysts at Resecurity have warned of a surge in NFC-related fraud, with Chinese-speaking cybercriminal groups at the forefront of exploiting contactless payment technologies globally. The groups, potentially linked to state-sponsored entities, are using advanced tools and "device farms"—clusters of Android phones with NFC-enabled cards—to automate fraudulent transactions. The scheme leverages Host Card Emulation (HCE) on Android devices, allowing smartphones to mimic NFC payment cards and trick POS terminals into processing unauthorized payments.
The Resecurity findings come following Cleafy Threat Intelligence team’s report about a new and highly sophisticated Android malware campaign dubbed ‘SuperCard X’, which is leveraging an advanced NFC-relay attack to authorize fraudulent transactions at Point-of-Sale (POS) terminals and Automated Teller Machines (ATMs).
Cybersecurity researchers at Cisco Talos have published a threat profile on “ToyMaker,” an initial access broker (IAB) known for compromising high-value targets and selling access to ransomware operators, notably the Cactus group. According to Talos, ToyMaker is behind the custom backdoor dubbed ‘LAGTOY’ (aka HOLERUN).
Researchers from the Secureworks Counter Threat Unit (CTU) observed two ransomware groups—DragonForce and Anubis—introducing new affiliate models designed to attract a broader range of partners and boost profits. DragonForce has rebranded itself as a “cartel” and as part of the shift the group introduced a distributed affiliate branding model that allows partners to create their own ransomware "brands" while using DragonForce’s backend infrastructure. Affiliates can opt to deploy DragonForce’s ransomware or use their own, with access to tools like admin/client panels, encryption utilities, negotiation platforms, and a .onion leak site.
The Anubis group is attracting cybercriminal affiliates with a three-tiered extortion model: Traditional RaaS (Ransomware-as-a-Service) – offers 80% of ransom profits to affiliates using standard file encryption tactics; Data Ransom – focuses on data theft without encryption, giving affiliates 60% of extortion proceeds; Access Monetization – assists in monetizing pre-existing system access, with affiliates receiving a 50% share.
Ukrainian cyber police, in collaboration with international law enforcement, have dismantled a transnational crime group that defrauded Latvian citizens of over 6 million UAH (approximately $144,000) through fake cryptocurrency investment schemes. Since 2022, the group operated fraudulent trading platforms that imitated legitimate crypto exchanges, using aggressive marketing and social engineering from call centers across Ukraine. Victims were often tricked into installing remote access software, enabling the scammers to take control of their devices and steal funds directly from their accounts.
Ukrainian and Czech law enforcement conducted a large-scale operation to dismantle a transnational hacker group. The operation exposed two key organizers and members of the group, who had been using malware to steal personal data, bank account information, and cryptocurrency from EU and US citizens. They sent phishing emails to gain access to victims' computers, then used the stolen data to rob electronic accounts and wallets. The gang also sold their malware on hacker forums, including to groups linked to Russian intelligence. During searches, investigators seized critical evidence such as computers, phones, and crypto wallets. The suspects face serious charges, and the investigation is ongoing to bring all involved to justice.
A former Disney World employee, Michael Scheuer, was sentenced to three years in federal prison for transmitting malicious code to a protected computer, causing damage, and committing aggravated identity theft. He was also ordered to forfeit his computer and pay $687,776.50 in restitution to his victims. Scheuer, who pleaded guilty on January 29, 2025, conducted a series of cyberattacks on his former employer after his termination. His actions included tampering with allergen information on menus, altering wine region details to reference recent mass shootings, and launching denial-of-service attacks to lock employees out of their accounts.
