VanHelsing, a ransomware-as-a-service operation launched in March 2025, has quickly made a name for itself by targeting a broad range of systems, including Windows, Linux, BSD, ARM, and ESXi, with Ransomware[.]live reporting at least eight known victims.
The intrusion, culminating in the deployment of ELPACO-team ransomware, began in late June 2024, and initial access was achieved through a publicly known template injection vulnerability (CVE-2023-22527) that was exploited on an unpatched Confluence server.
Since February 2024, an unidentified threat actor has been creating malicious Chrome browser extensions that disguise themselves as legitimate utilities, such as productivity tools, media analysis assistants, VPNs, and crypto or banking services.
Hazy Hawk is a technically adept threat actor that specializes in hijacking abandoned cloud resources by exploiting misconfigured DNS records, particularly dangling CNAME entries. These entries point to decommissioned services that were never properly removed from DNS configurations.
In a recent supply chain attack, threat actors distributed a trojanized version of RVTools containing the Bumblebee malware loader. This malicious version was promoted through SEO poisoning and typosquatted domains, leading users to download the compromised installer.
Peter Green Chilled, a key supplier for UK supermarkets, has suffered a ransomware attack, significantly disrupting its operations. The attack occurred on May 14, 2025, and was disclosed to customers the following day. Though the company says transport operations are still running, it temporarily paused order processing, and communication has since been cut off through normal contact channels.
A new phishing campaign is exploiting Zoom's widespread use in corporate settings to steal user credentials by sending fake meeting invitations that appear to come from colleagues. These emails are designed to look like legitimate Zoom notifications, featuring familiar branding, professional language, and urgent subject lines such as “Urgent Meeting Request” or “Missed Zoom Call.”
The Nitrogen ransomware strain has rapidly gained notoriety and represents a major and rapidly evolving ransomware landscape. The ransomware has been targeting the financial sector since its emergence in September 2024. This ransomware employs a sophisticated attack chain, initiating with malvertising campaigns on prominent search engines to trick users and distribute trojanized installers disguised as legitimate software.
Tenable Research identified a privilege escalation vulnerability in Google Cloud Platform's Cloud Functions and its associated Cloud Build continuous integration and deployment services. The issue stemmed from the default Cloud Build service account, which was previously assigned excessive permissions during the function deployment process.
Sarcoma Ransomware has rapidly established itself as one of the most aggressive ransomware groups since its emergence in October 2024. Within a short span, the group has executed numerous successful attacks across multiple sectors and countries, including high-profile incidents involving Unimicron and The ToolShed.
Ransomware is getting worse, and more insidious. It is not anymore that hoodie-wearing hacker. It is a full business model with Ransomware as a Service (RaaS), and it is enabling even low-skill attackers to launch high-end cyberattacks. One scary example: hackers are using legitimate tools like Microsoft's Quick Assist to actually deliver ransomware like Black Basta to organizations.
A sophisticated malware campaign targeting the open-source password manager KeePass has been uncovered by WithSecure's Threat Intelligence team. The attackers trojanised a legitimate KeePass installer (KeePass-2.56-Setup.exe), distributing it through malvertising via search ads on platforms like Bing and DuckDuckGo that lured users to download from fake lookalike domains keeppaswrd.com.
The RVTools Bumblebee malware attack on May 13, 2025, highlights the growing threat of software supply chain compromises, where trusted tools are weaponized to distribute malware. In this incident, an employee attempted to install RVTools, a well-known and widely trusted VMware environment reporting utility.
Unit 42 has observed a resurgence in Muddled Libra activity following a period of dormancy in late 2024. Recent investigations link multiple high-profile intrusions to this group, as well as to its broader collective, Scattered Spider.
Skitnet is a highly modular and multi-stage malware strain attributed to the threat actor LARVA-306. It combines multiple programming languages, including Rust, Nim, PowerShell, and .NET, to maintain stealthy and persistent access to targeted systems.
VanHelsing is a rapidly emerging ransomware-as-a-service (RaaS) operation that first appeared in March 2025 and has quickly gained traction within the cybercriminal community due to its broad platform support and advanced capabilities. The operation follows a conventional RaaS model, requiring affiliates to pay a $5,000 deposit to join the program.
A “new” threat group, LeakedData, emerged in mid-December 2024, claiming responsibility for at least 41 attacks. Initial speculation from some researchers regarding LeakData being a watering hole attack lure targeting researchers appears unfounded.
Cybercriminals are increasingly using PowerShell to conduct stealthy, fileless attacks that bypass traditional antivirus and endpoint defenses by executing code directly in memory. A recent campaign analyzed by Qualys Threat Research Unit demonstrates this trend through the deployment of Remcos RAT, a sophisticated remote access trojan known for its persistence and full system control capabilities.
In April 2025, NSFOCUS Fuying Lab's Global Threat Hunting system identified a surge in activity from a new Go-based botnet Trojan dubbed HTTPBot. Initially observed in August 2024, HTTPBot has rapidly expanded its reach, frequently leveraging compromised devices to conduct external attacks, primarily targeting China's gaming sector, but also affecting technology companies, educational institutions, and tourism websites.
In a newly emerging trend, cybercriminals are using AI-generated deepfake voices and text messages to impersonate senior U.S. government officials in phishing attacks. According to a recent FBI advisory, these attacks have been ongoing since April 2025 and aim to trick victims, especially other officials or their contacts, into clicking malicious links or handing over sensitive information.
In the first quarter of 2025, the threat landscape for industrial automation systems showed overall stability, but with some important shifts in regional threat levels and malware tactics.
cyber espionage campaign, dubbed Operation RoundPress, has been attributed with medium confidence to the Russia-linked threat actor APT28 (AKA Fancy Bear). Commencing in 2023, the operation targets webmail servers including Roundcube, Horde, MDaemon, and Zimbra through the exploitation of XSS vulnerabilities.
Recent activity shows that ransomware groups are now exploiting CVE-2025-31324, extending its use beyond the China-linked actors initially associated with the vulnerability. The Russian ransomware group BianLian has been observed using the flaw through reverse proxy infrastructure tied to its known command-and-control servers.
A recent investigation uncovered a sophisticated malware campaign delivered through an npm package named os-info-checker-es6. Initially appearing to be a benign utility for retrieving operating system information, the package concealed a multi-stage attack framework that evolved over time.
Interlock Ransomware, a cybercriminal group that emerged in September 2024, has evolved from opportunistic attacks to targeting high-value entities within the Defense Industrial Base supply chain. Their recent attack on National Defense Corporation and its subsidiary AMTEC, a manufacturer of military-grade ammunition and explosives, marks a strategic shift likely influenced by geopolitical conflicts and possibly state-sponsored motivations.
Specops, a security research community, recently investigated how hackers are trying to break FTP (File Transfer Protocol) servers using brute-force attacks. These are the kinds of attacks in which hackers try a huge number of substitute passwords in rapid succession to see if any of them will succeed.
Microsoft Threat Intelligence identified a campaign by the Türkiye-linked espionage group Marbled Dust exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger chat platform.
In April 2025, EclecticIQ analysts reported with high confidence that Chinese nation-state APTs launched widespread exploitation campaigns targeting SAP NetWeaver Visual Composer by leveraging CVE-2025-31324, a remote code execution vulnerability.
As part of the May Microsoft Patch Tuesday, Microsoft addressed 72 flaws, including 5 zero-days which are actively being exploited in attacks in the wild. Of the 57 flaws, there were 17 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 28 Remote Code Execution Vulnerabilities, 15 Information Disclosure Vulnerabilities, 7 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 6 flaws were rated critical in severity and can lead to remote code execution or the disclosure of information over a network.
In January 2025, researchers at Unit 42 uncovered ongoing attacks distributing the DarkCloud Stealer malware. These recent attacks exhibit an evolution in tactics, notably incorporating AutoIt to potentially evade traditional detection mechanisms. The observed attack chain typically commences with a phishing email, which may contain either a malicious RAR archive directly or a phishing PDF designed to trick victims into downloading such an archive from a file-sharing service.
Recent weeks have witnessed a surge in hacktivist claims targeting Indian digital infrastructure, with groups boasting of over 100 successful breaches across government, education, and critical sectors in May 2025 amidst heightened geopolitical tensions.
PupkinStealer is a newly identified information-stealing malware that targets Windows systems and is developed in C# using the .NET framework. First detected in April 2025, the malware is distributed primarily through phishing emails, fake software downloads, or malicious links sent via instant messaging platforms.
In February 2025, the North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni, launched phishing campaigns targeting Ukrainian government entities with the objective of harvesting credentials and delivering malware.
Researchers from South Korean cybersecurity firm Genians have uncovered a new cyber-espionage campaign by North Korean state-sponsored group APT37 (also known as ScarCruft). The hackers targeted South Korean organizations involved in national security by impersonating a North Korea expert and a think tank in phishing emails.
Between 2023 and 2024, the Chinese-speaking threat group Earth Ammit conducted two sophisticated cyberespionage campaigns known as VENOM and TIDRONE. These operations targeted upstream vendors to compromise downstream entities through supply chain attacks.
Global Crossing Airlines Group, or GlobalX, confirmed to the U.S. Securities and Exchange Commission (SEC) that it was targeted in a cyberattack on May 5. The airline, which conducts deportation flights for U.S. Immigration and Customs Enforcement (ICE), reported that hackers breached some of its business systems
A newly updated malware strain called OtterCookie is being actively deployed by North Korea-linked threat actors known as the WaterPlum group (Famous Chollima/PurpleBravo). This malware is a successor to earlier WaterPlum payloads like BeaverTail and InvisibleFerret and was initially identified in December 2024.
Blob URIs (Uniform Resource Identifiers) are browser-generated links used to handle temporary, local data such as images, videos, or HTML content, allowing web applications like YouTube to display content securely without exposing direct file locations. While blob URIs serve legitimate purposes such as limiting access to media files and reducing network load, they have recently been exploited by cybercriminals for credential phishing.
According to researchers at Piccus Security, Lumma Stealer is a rapidly evolving information-stealing malware that has played a significant role in numerous cybercrime campaigns throughout 2024 and 2025. Marketed as a Malware-as-a-Service by a threat actor using the aliases “Shamel” or “Lumma,” the malware is sold through tiered subscriptions, making it accessible to both skilled and inexperienced cybercriminals.
A second wave of cyberattacks has emerged targeting SAP NetWeaver systems, involving opportunistic threat actors who are exploiting webshells planted during an earlier zero-day campaign. These webshells were deployed by initial attackers exploiting CVE-2025-31324, a critical vulnerability in the Visual Composer tool within SAP NetWeaver.
A new report released on May 5th by researchers at Aon's Stroz Friedberg Incident Response Services detailed a novel "Bring Your Own Installer" technique that threat actors can exploit to bypass SentinelOne's EDR solution. This method leverages a vulnerability within the SentinelOne agent's upgrade/downgrade process, creating a temporary time window that provides an unprotected endpoint.
The FBI is warning people that hackers are going after old Wi-Fi routers that aren't getting updates anymore. These outdated routers are easy to break into because they have known problems that haven't been fixed. Once the hackers get in, they install malware that lets them use the routers to hide their real location while doing illegal stuff online.
FreeDrain is a large-scale, sophisticated cryptocurrency phishing campaign that has operated for several years, silently stealing digital assets by exploiting weaknesses in free-tier web infrastructure, search engine optimization, and user trust in legitimate platforms.
Vishing, or voice phishing, is a social engineering attack that manipulates victims into revealing confidential information over the phone, often after being lured in by fake emails, PDFs, or image attachments.
Ransomware affiliates, including those linked to Qilin and Hunters International, have been observed using the legitimate employee monitoring software Kickidler as a stealthy reconnaissance tool after breaching enterprise networks.
On May 7, 2025, the LockBit ransomware operation suffered a major blow when unknown actors defaced its dark web infrastructure, replacing the usual content with a provocative message: “Don't do crime CRIME IS BAD xoxo from Prague.” Accompanying the message was a link to download a file titled “paneldb_dump.zip,” which contained a MySQL database dump from LockBit's affiliate management panel.
A novel malware campaign has been uncovered by Morphisec researchers, leveraging the popularity of artificial intelligence to distribute a new information stealer named Noodlophile Stealer that's often bundled with XWorm to establish deeper control. Cybercriminals are creating deceptive fake AI platforms, advertised on social media platforms like Facebook, to lure unsuspecting users with promises of free AI video and image generation.