Skip to main content
Skip to footer
I-SOON-linked FishMonger APT behind Operation FishMedley espionage campaign
ESET researchers detailed Operation FishMedley, an espionage campaign attributed to the advanced persistent threat (APT) actor, FishMonger. The campaign targeted at least seven government, religious, and non-governmental organisations in Taiwan, Hungary, Turkey, Thailand, France, and the United States in 2022. The initial compromise vectors are unknown, but FishMonger APT appears to have obtained privileged access inside local networks, such as domain administrator credentials. In some observed cases, Impacket was used to deliver malicious implants as well as move laterally in compromised networks. FishMonger APT is believed to be the operational arm of I-SOON. The group falls under the Winnti Group umbrella and most likely operates from Chengdu, China, where I-SOON’s office was located
Suspected APT36 campaign targets Indians via fake Indian Post Office website
CYFIRMA researchers discovered a phishing page impersonating the Indian Post Office that is targeting both Windows and Android users. Windows users visiting the site are asked to allow clipboard access and prompted to download a PDF containing ClickFix instructions that lead to the execution of PowerShell. Android users are lured into downloading a malicious app that requests extensive permissions and exfiltrates data via a fake Google Analytics domain. The app changes its icon to a Google Accounts icon to hide its activity and prevent it from being uninstalled. It additionally promotes a casino app that prompts users to add their bank card details to load money into a wallet to continue playing. The campaign has been linked to the Pakistani threat actor APT36 with medium confidence.
Google Ads phishing campaign impersonating Semrush aims to steal Google login credentials
Malwarebytes researchers observed threat actors leveraging Google Ads to push fake Semrush login portals. The campaign seeks to steal Google account login credentials, with the Semrush phishing page showing an option to login via Google, while the option to login using email and password is disabled. Each ad uses a unique domain name that redirects victims to static domains dedicated to the fraudulent Semrush and Google account login pages. The researchers noted that Google Analytics and Google Search Console data is often integrated with tools like Semrush, warning that the theft of login credentials could reveal sensitive information that could be leveraged to impersonate an individual or business.
Fake recruitment schemes target Polish developers to deploy FogDoor backdoor
Cyble researchers identified a fake recruitment campaign leveraging social engineering to deliver a backdoor, dubbed FogDoor, to Polish-speaking developers seeking employment. The backdoor is disguised as a technical coding challenge, called ‘FizzBuzz’, that tricks victims into downloading an ISO file containing a seemingly harmless JavaScript exercise and a malicious LNK shortcut. The campaign has since expanded beyond recruitment-based attacks, with a newly discovered GitHub repository distributing invoice-themed LNK shortcuts. The executable first identifies the victim’s location and proceeds to execute FogDoor only if the user is located in Poland. FogDoor then retrieves instructions embedded within a social media profile for remote code execution and to steal browser cookies, WiFi credentials, and system data.
Operation ForumTroll campaign exploits Google Chrome Zero-day to target Russian institutions
In mid-March 2025, Kaspersky researchers observed a suspected advanced persistent threat group campaign, dubbed Operation ForumTroll, delivering previously unknown malware via the exploitation of a high-severity zero-day flaw, tracked as CVE-2025-2783, in Google Chrome. In all observed cases, infection occurred immediately after the victim clicked on a link in a phishing email, which redirected them to the official website of ‘Primakov Readings.’ The campaign targeted media outlets and educational institutions in Russia, likely with the aim of conducting espionage. The flaw relates to an incorrect handle provided in unspecified circumstances in Mojo on Windows and was exploited by the attackers to bypass Chrome’s sandbox protection. The flaw has since been fixed.
Ransomware
RedCurl Deploys Novel QWCrypt, Moving from Cyber Espionage to Ransomware AttacksTechNadu – Mar 27 2025Enemies with benefits: RansomHub and rival gangs share EDRKillShifter toolHelp Net Security – News – Mar 26 2025The Curious Case of PlayBoy LockerCybereason – Blog – Mar 25 2025Arkana Ransomware Attack on WideOpenWest: What You Need to Know SOCRadar – Mar 25 2025RansomHub affiliate uses custom backdoor BetrugerSecurity Affairs – Mar 21 2025Fog ransomware publishes victim’s IP-addressesKaspersky.com – Mar 21 2025Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline OperationsTrend Micro – Mar 21 2025VSCode extensions found downloading early-stage ransomwareBleeping Computer – Mar 20 2025Shedding light on the ABYSSWORKER driverElastic Security Labs – Mar 20 2025
Financial Services
New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican OrganizationsThe Hacker News – Mar 26 2025First Pump[.]Fun Malware Identified: A Threat Leading to XWorm malware infectionLordx64 Blog – Mar 26 2025Hackers exploit Russian smart homes to mine crypto, launch DDoS attacksInvezz – Mar 24 2025Coinbase was primary target of recent GitHub Actions breachesBleeping Computer – Mar 21 2025AI-Generated Zoom Impersonation Attack Exploits Tax Season to Deploy Remote Desktop ToolAbnormal Security – Mar 21 2025
Geopolitics
Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine ConflictCTI Grapevine – Mar 25 2025Inside the Secret PR War: Netanyahu’s Aides Behind Pro-Qatar Online CampaignSLGuardian.org – Mar 24 2025Russian hackers attacked Belgian government websitesInsight News Media – Mar 24 2025Austria uncovers Russian disinformation campaign, security service saysReuters – Mar 24 2025Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus OperationSygnia.co – Mar 24 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2021-35587 | Access Manager | 9.8 | 9.4 | |
| Related: Hacker claims breach of Oracle Cloud via exploitation of login endpoint | ||||
| CVE-2019-9874 | XP | 9.8 | 9.8 | |
| Related: Six-year-old flaws in Sitecore CMS and Experience Platform actively exploited | ||||
| CVE-2024-4879 | Now Platform | 9.8 | 9.4 | |
| Related: Renewed targeting of ServiceNow flaws observed | ||||
| CVE-2025-26633 | Windows | 7.0 | 6.7 | |
| Related: CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin | ||||
| CVE-2023-46604 | Enterprise Data Quality | 9.8 | 9.8 | |
| Related: Exposed ActiveMQ instances vulnerable to critical remote code execution flaw | ||||