Skip to main content
Skip to footer
UNC5837 Rogue RDP campaign targets European government agencies for espionage and data theft
In October 2024, Google researchers observed a new phishing campaign targeting European government and military organisations with signed Remote Desktop Protocol (RDP) email attachments. The campaign’s primary objective appears to be espionage and likely enabled the attackers to read victim drives, steal files, capture clipboard data, and obtain victim environment variables. Unlike typical RDP attacks focused on interactive sessions, this campaign leveraged resource redirection and RemoteApp.vThe phishing emails claim to be part of a project in conjunction with Amazon, Microsoft, and the Ukrainian State Secure Communications and Information Security Agency. Executing the attachment initiates an RDP connection to the victim’s machine, granting read and write access, while the RemoteApp feature is used to hide the malicious function of an application hosted on the remote server. Though not confirmed, the RDP proxy tool, PyRDP, may also have been used.
PoisonSeed campaign targets crypto companies and CRM and email providers
Silent Push researchers discovered a connection between the recent targeting of Troy Hunt’s Mailchimp account and the Coinbase cryptocurrency seed phrase poisoning operation. The campaign, dubbed PoisonSeed, involves phishing tactics and supply chain spam operations targeting cryptocurrency companies, as well as customer relationship management (CRM) and bulk email providers. The PoisonSeed actors set up seemingly legitimate phishing pages for CRM and bulk email companies before sending emails to victims. When credentials are successfully phished for an email provider, PoisonSeed automates a bulk download process of the email lists, with the threat actors creating a new API key for persistence if the password was reset. The tactics employed in the campaign overlap with those of Scattered Spider and CryptoChameleon, but may also be the work of a separate threat actor using similar tactics and infrastructure.
Rakuten Securities phishing campaign switches tactics to investment scam
Broadcom researchers warned that an ongoing campaign targeting Rakuten Securities users has switched social engineering tactics to an investment scam. The campaign previously used phishing emails impersonating legitimate security notices from Rakuten Securities but now uses malicious emails claiming to offer free investment guidance through LINE. The emails prey on financial concerns, pressuring users to invest and join a supposed investment community. Users who click on the links in the emails are redirected to a webpage urging them to add a LINE account in exchange for gifts and access to free seminars on growing retirement assets. The website claims to offer advice on using NISA, selecting stocks, and achieving early retirement, and falsely presents Rakuten’s CEO as promoting the scam via LINE.
Sapphire Werewolf targets energy companies with updated version of Amethyst Stealer
BI[.]ZONE researchers observed the threat actor Sapphire Werewolf using an updated version of the open-source malware Amethyst Stealer to target energy companies. The latest version of Amethyst Stealer features advanced checks for virtualised environments and employs Triple DES algorithm for string encryption. In the observed campaign, the malware was delivered via phishing emails and stored in an attachment disguised as an official memo from a human resources representative. The memo contains an executable with a fake PDF icon that delivers Amethyst Stealer, which is protected with .NET Reactor.
The Security and Intelligence Threats to Elections Task Force discovered an information operation targeting Canada’s upcoming federal election. The operation is attributed to the Chinese social media platform WeChat’s most popular news account, ‘Youli-Youmian’, and was intended to influence Canadian-Chinese communities in Canada. The operation specifically attempted to influence perceptions of Prime Minister Mark Carney by amplifying his stance with the United States and targeting his experience and credentials. A spike in suspected coordinated inauthentic behaviour was observed on March 10th, 2025, and March 25th, 2025, with amplified articles about Carney receiving between 85,000 and 130,000 interactions, and an estimated one to three million views.
Ransomware
Emulating the Misleading CatB RansomwareSecurity Boulevard – Apr 09 2025Ransomware Attacks Hit All-Time High as Payoffs DwindleInfosecurity Today – Apr 09 2025RansomSnub: RansomHub’s Affiliate ConfusionGuidePoint Security – Apr 08 2025Inside Black Basta: Uncovering the Secrets of a Ransomware PowerhouseSpiderLabs Blog – Apr 08 2025HellCat Ransomware Hits 4 Firms using Infostealer-Stolen Jira CredentialsHackRead – Apr 08 2025Everest ransomware’s dark web leak site defaced, now offlineBleeping Computer – Apr 07 2025A DLS EMERGEncy! – Record breaking extortion group DLS emergence in 2025Cyjax – Apr 04 2025Texas State Bar warns of data breach after INC ransomware claims attackBleeping Computer – Apr 03 2025
Financial Services
Hackers Exploit SourceForge to Distribute Miner and ClipBanker Trojan via Fake Microsoft Office ToolsTechNadu – Apr 09 2025Tax deadline threat: QuickBooks phishing scam exploits Google AdsMalware Bytes – Apr 08 2025OCC Notifies Congress of Incident Involving Email SystemOCC – Apr 08 2025DBS vendor ransomware attack potentially exposes 8,200 customer statementsReuters – Apr 07 2025Threat actors leverage tax season to deploy tax-themed phishing campaignsMicrosoft – Security Blog – Apr 03 2025
Geopolitics
BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actorsNational Cyber Security Centre – Apr 08 2025UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting UkraineThe Hacker News – Apr 08 2025Russian bots hard at work spreading political unrest on Romania’s internetBitdefender – Apr 08 2025Threat Intelligence Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US During the first quarter of 2025, hacktivist activity saw a distinct shift in focus, with the United States emerging as the most targeted country globally. According to collected claims from known hacktivist groups, the U.S. alone accounted for 13.5% of all observed distributed denial-of-service (DDoS) attacks between January 1 and March 31. Pascal Geenens |April 04, 2025Radware Blog – Apr 04 2025CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL MalwareThe Hacker News – Apr 04 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-22457 | Neurons for ZTA Gateways | 9.0 | 7.7 | |
| Related: UNC5221 exploits n-day Ivanti Connect Secure flaw to deploy TRAILBLAZE, BRUSHFIRE and SPAWN | ||||
| CVE-2025-29824 | Windows | 7.8 | 7.5 | |
| Related: Microsoft patches zero-day exploited in ransomware attacks | ||||
| CVE-2024-53150 | Kernel | 7.1 | 3.4 | |
| Related: Google patches multiple actively exploited zero-day flaws in Android devices | ||||
| CVE-2025-31161 | CrushFTP | 8.1 | 7.7 | |
| Related: Recently patched CrushFTP flaw exploited to install RMM tools | ||||
| CVE-2024-11859 | Security for Microsoft SharePoint Server | 7.0 | 7.0 | |
| Related: ToddyCat abuses ESET EPP flaw to load new TCESB tool for stealthy payload execution | ||||