Cyber threats today don't just evolvethey mutate rapidly, testing the resilience of everything from global financial systems to critical infrastructure. As cybersecurity confronts new battlegroundsranging from nation-state espionage and ransomware to manipulated AI chatbotsthe landscape becomes increasingly complex, prompting vital questions: How secure are our cloud environments? Can our IoT devices be weaponized unnoticed? What happens when cybercriminals leverage traditional mail for digital ransom?This week's events reveal a sobering reality: state-sponsored groups are infiltrating IT supply chains, new ransomware connections are emerging, and attackers are creatively targeting industries previously untouched. Moreover, global law enforcement actions highlight both progress and persistent challenges in countering cybercrime networks.Dive into this edition to understand the deeper context behind these developments and stay informed about threats that continue reshaping the cybersecurity world. Threat of the WeekU.S. Charges 12 Chinese Nationals for Nation-State Hacking The U.S. Department of Justice (DoJ) announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent across the world. The defendants include two officers of the People's Republic of China's (PRC) Ministry of Public Security (MPS), eight employees of the company i-Soon, and two members of APT27. "These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC's MPS and Ministry of State Security (MSS) and on their own initiative," the DoJ said. "The MPS and MSS paid handsomely for stolen data."Get the guide Top NewsU.S. Secret Service Dismantles Garantex A coalition of international law enforcement agencies has seized the online infrastructure associated with the cryptocurrency exchange Garantex for facilitating money laundering by transnational criminal organizations. The exchange is estimated to have processed at least $96 billion in cryptocurrency transactions, with crypto transactions worth more than $60 billion processed since it was sanctioned in 2022. In addition, two individuals Aleksej Besciokov and Aleksandr Mira Serda have been charged in connection with operating an unlicensed money-transmitting business.Silk Typhoon Goes After IT Supply Chains In what appears to be a shift in tactics, Salt Typhoon, the China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021, has begun to target the information technology (IT) supply chain, specifically remote management tools and cloud applications, as a means to obtain initial access to corporate networks. Upon gaining successful access, the threat actors have been found using stolen keys and credentials to further burrow into the compromised network and exfiltrate data of interest.Dark Caracal Linked to Use of Poco RAT The threat actor called Dark Caracal has been linked to a phishing campaign that distributed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024. An analysis of Poco RAT artifacts indicates the intrusions are mainly targeting enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.Links Between Black Basta and CACTUS Ransomware Examined Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over compromised systems, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. The BackConnect module has source code references to QakBot, indicating likely shared authorship. The component is distributed via sophisticated social engineering tactics to trick targets into installing the Quick Assist remote desktop software.U.A.E. Entities Targeted by UNK_CraftyCamel A previously undocumented threat activity cluster dubbed UNK_CraftyCamel has targeted "fewer than five" aviation and satellite communications entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano. The attacks stand out because they took advantage of a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. It's suspected that the campaign is the work of an Iranian-aligned hacking group. Trending CVEsThe software you rely on every day can have hidden risks that hackers actively target. Staying safe means keeping up-to-date with the latest security patches before vulnerabilities become costly breaches.Here's this week's critical list of software vulnerabilities you should urgently patch or review to protect your systems CVE-2025-25015 (Elastic Kibana), CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (VMware), CVE-2024-50302 (Google Android), CVE-2025-0364 (BigAntSoft BigAnt), CVE-2024-48248 (NAKIVO Backup & Replication), CVE-2025-1723 (Zoho ADSelfService Plus), CVE-2025-27423 (Vim), CVE-2025-24494 (Keysight Ixia Vision), CVE-2025-1080 (LibreOffice), CVE-2025-27218 (Sitecore), CVE-2025-20206 (Cisco Secure Client for Windows), CVE-2024-56325 (Apache Pinot), CVE-2025-1316 (Edimax IC-7100), CVE-2025-27622, CVE-2025-27623 (Jenkins), and CVE-2024-41334 through CVE-2024-41340, CVE-2024-51138, CVE-2024-51139 (Draytek routers). Around the Cyber WorldApple Reportedly Pushes Back Against Backdoor Access Apple appears to be pushing back against a secret order issued by the U.K. to give the government access to encrypted iCloud data. According to a report from the Financial Times, the company has filed an appeal with the Investigatory Powers Tribunal, an independent judicial body that examines complaints against the U.K. security services, in hopes of overturning the order. The tribunal is expected to probe whether "the U.K.'s notice to Apple was lawful and, if not, could order it to be quashed." Apple recently stopped offering Advanced Data Protection in the U.K. in response to the secret order.IoT Devices Targeted by New Eleven11bot Botnet A new botnet malware dubbed Eleven11bot is estimated to have infected thousands of IoT devices, primarily security cameras and network video recorders (NVRs), to conduct volumetric DDoS attacks. A majority of the infections are in the United States, the United Kingdom, Mexico, Canada, and Australia, per The Shadowserver Foundation. Threat intelligence firm GreyNoise said it has observed 1,042 IP addresses tied to the botnet's operation in the past month, most of which are based in Iran. Eleven11bot is assessed to be a variant of the infamous Mirai malware, which had its source code leaked in 2016. That said, there have been conflicting reports on the number of devices comprising Eleven11bot. Nokia said the botnet is made of roughly 30,000 devices, the Shadowserver Foundation said the size is well over 86,000. However, GreyNoise estimated the true number was likely fewer than 5,000.U.S. Treasury Sanctions Iranian National for Running Nemesis Market The U.S. Treasury Department on Tuesday announced sanctions against an Iranian national named Behrouz Parsarad for running an online darknet marketplace called Nemesis Market that was used for trading drugs and cybercrime services. The online bazaar was shut down in March 2024 as a result of a law enforcement operation conducted by Germany, the U.S., and Lithuania. "As the administrator of the Nemesis darknet marketplace, Parsarad sought to build and continues to try to re-establish a safe haven to facilitate the production, sale, and shipment of illegal narcotics like fentanyl and other synthetic opioids," the Treasury Department said.Moonstone Sleet Deploys Qilin Ransomware Microsoft revealed that it observed the North Korean threat actor tracked as Moonstone Sleet deploying Qilin ransomware at a limited number of organizations in late February 2025. "Qilin is a ransomware as a service (RaaS) payload used by multiple threat actors, both state-sponsored and cybercriminal groups," it said. "Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator."Kaspersky Flags Thousands of Malicious Installations of Banking Trojans Russian cybersecurity company Kaspersky said it prevented a total of 33.3 million attacks involving malware, adware, or unwanted mobile software in 2024. Adware accounted for 35% of total detections, with 1.13 million malicious and potentially unwanted installation packages detected. Nearly 69,000 of those installations were associated with banking trojans. The company said it also discovered threat actors using novel social engineering tactics to distribute the Mamont banking trojan targeting Android devices in Russia. "The attackers lured users with a variety of discounted products," it said. "The victim had to send a message to place an order. Some time later, the user received a phishing link to download malware disguised as a shipment tracking app."PrintSteal Campaigns Engages in Large-Scale KYC Document Generation Fraud in India Details have emerged about a large-scale, organized criminal operation that involves the mass production and distribution of fake Indian KYC (Know Your Customer) documents, an activity that has been codenamed PrintSteal by CloudSEK. One such platform, named crrsg.site, is estimated to have fueled the creation of more than 167,391 fake documents since its creation in 2021. There are at least 2,727 registered operators on crrsg.site. "The infrastructure of this operation includes a centralized web platform, access to illicit APIs that provide data like Aadhaar, PAN, and vehicle information, a streamlined payment system, and encrypted communication channels (such as Telegram)," CloudSEK researcher Abhishek Mathew said. "The operation relies heavily on a network of affiliates, primarily local businesses like mobile shops and internet cafes, which serve as points of contact for customers seeking fake documents." Further investigation has revealed that an individual named Manish Kumar is a key figure behind crrsg.site. To date, no less than 1,800 domains have been identified as part of this operation, with over 600 domains currently active.Malicious Use of Cobalt Strike Down 80% Since 2023 In April 2023, Microsoft and Health Information Sharing and Analysis Center (Health-ISAC) teamed up with Fortra, the company behind Cobalt Strike, to combat the abuse of the post-exploitation toolkit by bad actors to facilitate malicious activities. Since then, the number of unauthorized copies of Cobalt Strike observed in the wild has decreased by 80%, Fortra said. The company said it also seized and sinkholed over 200 malicious domains, effectively severing the connections. "Additionally, the average dwell time the period between initial detection and takedown has been reduced to less than one week in the United States and less than two weeks worldwide," it added. In July 2024, a coordinated law enforcement operation codenamed MORPHEUS dismantled 593 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with unlicensed versions of Cobalt Strike. CrowdStrike Reports $21 Million Loss from July 2024 Outage Cybersecurity firm CrowdStrike reported another $21 million in costs related to the July 19, 2024, outage in the fourth quarter, bringing the annual total to $60 million. In a related development, security firm SEC Consult detailed a now-patched vulnerability in CrowdStrike Falcon that allowed attackers to pause the sensor. "The vulnerability allowed an attacker with 'NT AUTHORITY\SYSTEM' permissions to suspend the CS Falcon Sensor processes," the Austrian company said. "A subset of malicious applications that are blocked or deleted when the CS Falcon Sensor processes are active could be executed or retained on the disk after the CS Falcon Sensor processes were suspended. This leads to a partial bypass of the CS Falcon Sensor detection mechanisms."FBI Warns of Fake Ransomware Notes Sent via Snail Mail The U.S. government is warning that scammers are masquerading as the BianLian (aka Bitter Scorpius) ransomware and data extortion group to target corporate executives by sending extortion letters that threaten to release sensitive information on the e-crime gang's data leak site unless payment ranging between $250,000 and $500,000 is received within 10 days from receipt of the letter. The letters are believed to be an attempt to scam organizations into paying a ransom. Cybersecurity firm Arctic Wolf said the letters were being sent to executives primarily within the U.S. healthcare industry, but noted that the physical ransom letters are drastically different in word usage and tone from those of the actual BianLian group. GuidePoint Security and Palo Alto Networks Unit 42 also pointed out that the activity is likely the work of an imposter.Moscow-Based News Network Poisons AI Chatbot Results A Moscow-based disinformation network named Pravda is publishing false claims and pro-Kremlin propaganda to deliberately distort responses from artificial intelligence (AI) models that rely on up-to-date information. The network, which uses search engine optimization strategies to boost the visibility of its content, is said to have published 3.6 million misleading articles in 2024 alone. "By flooding search results and web crawlers with pro-Kremlin falsehoods, the network is distorting how large language models process and present news and information," NewsGuard said, adding "the leading AI chatbots repeated false narratives laundered by the Pravda network 33 percent of the time."DoJ Charges 2 Venezuelans for ATM Jackpotting Scheme The U.S. Justice Department said two Venezuelan nationals David Jose Gomez Cegarra, 24, and Jesus Segundo Hernandez-Gil, 19, were arrested and charged recently over their role in an ATM jackpotting scheme in the U.S. states of New York, Massachusetts, and Illinois in October and November 2024. The charges carry a maximum penalty of ten years in prison. "ATM Jackpotting involves removing an ATM's cover and infecting the ATMs hard drive with malware or removing the hard drive and replacing it with an infected hard drive, which allows the operator to assume control of the ATM and cause it to dispense currency," the agency said.Researchers Flag Flaw in China's Great Firewall Cybersecurity researchers have detailed a now-fixed buffer over-read vulnerability dubbed Wallbleed in the DNS injection subsystem of the Great Firewall of China that could result in information disclosure, causing certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query. It was patched in March 2024. "Until March 2024, certain DNS injection devices had a parsing bug that would, under certain conditions, cause them to include up to 125 bytes of their own memory in the forged DNS responses they sent," a group of academics said. The GFW's DNS injection subsystem relies on what's called DNS spoofing and tampering to inject fake DNS responses containing random IP addresses when a request matches a banned keyword or a blocked domain.Nine Threat Groups Active in OT Operations in 2024 Industrial cybersecurity company Dragos said nine out of the 23 threat groups it tracks as targeting industrial organizations were active in 2024. Two of them Bauxite (aka Cyber Av3ngers) and Graphite (aka APT28) have been identified as two new threat groups setting their sights on operational technology (OT) networks. "A striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS," Dragos said. "Adversaries that would have once been unaware of or ignored OT/ICS entirely now view it as an effective attack vector to achieve disruption and attention." Furthermore, the number of ransomware attacks targeting OT systems increased by 87% in 2024, and the number of groups going after such targets spiked by 60%. The disclosure comes as CrowdStrike revealed that China-nexus activity increased by 150% across all sectors in 2024, with a "staggering 200-300% surge" in key targeted industries including financial services, media, manufacturing, and industrials/engineering. The security vendor, which is tracking 257 named adversaries and over 140 emerging activity clusters, said adversaries are increasingly targeting cloud-based SaaS applications for data theft, lateral movement, extortion, and third-party targeting. Some of the new notable clusters include Envoy Panda (aka BackdoorDiplomacy), Liminal Panda, Locksmith Panda, Operator Panda (aka Salt Typhoon), Vanguard Panda (aka Volt Typhoon), and Vault Panda (aka Earth Berberoka).Google Details AMD Zen Vulnerability Google researchers have disclosed the details of a recently patched AMD processor vulnerability dubbed EntrySign (CVE-2024-56161, CVSS score: 7.2) that could potentially permit an attacker to load a malicious CPU microcode under specific conditions. In a nutshell, the vulnerability enables arbitrary microcode patches to be installed on all Zen 1 through Zen 4 CPUs. "Luckily, the security impact was limited by the fact that attackers must first obtain host ring 0 access in order to attempt to install a microcode patch and that these patches do not persist through a power cycle," Google said. "Confidential computing using SEV-SNP, DRTM using SKINIT, and supply chain modification are some of the situations where the threat model permits an attacker to subvert microcode patches." Expert WebinarTraditional AppSec is BrokenWatch This to See How ASPM Can Fix ItTraditional AppSec tools often struggle with today's complex software environments, creating security blind spots. Application Security Posture Management (ASPM) promises to bridge these gaps by combining code-level insights and runtime context. But is ASPM the future or a passing trend?Join Amir Kaushansky from Palo Alto Networks to quickly grasp ASPM's real-world benefitssuch as proactive risk management and reduced patching workloads. Get actionable insights and evaluate whether adopting ASPM can strengthen your organization's security posture.Secure your spot now to stay ahead of evolving threats.P.S. Know someone who could use these? Share it. Cybersecurity ToolsRayhunter It is a free and open-source tool developed by EFF to identify devices used for cellular surveillance, commonly called IMSI catchers. Designed specifically for use with the Orbic RC400L mobile hotspot, Rayhunter helps users detect if their cellular communications are being monitored. While built mainly for research and testing purposesrather than high-risk situationsthe tool offers a user-friendly web interface, allowing easy monitoring, capture of cellular signals, and basic analysis of potential spying attempts. Although Rayhunter might function on similar Qualcomm-based Linux or Android devices, compatibility is currently only confirmed for this specific Orbic model.GCPGoat: A Damn Vulnerable GCP Infrastructure GCPGoat is a purposely vulnerable Google Cloud environment designed to help users safely learn cloud security. It mirrors real-world mistakes in cloud setups, covering OWASP's top web app risks and common misconfigurations. Users can practice penetration testing, audit infrastructure code, improve secure coding, and enhance threat detection directly in their own GCP accounts. Tip of the WeekGet Defense Against Advanced 'Living off the Land' Threats Hackers often misuse built-in tools like PowerShell (Windows) or common Linux utilities to quietly break into systemsthis is called a "Living off the Land" (LotL) attack. A simple, effective defense is Binary Allowlisting via Checksums, which ensures only verified tools can run.For Linux users, create a trusted baseline by running this one-time command on a clean system:sudo find /usr/bin -type f -exec sha256sum {} \; > /root/trusted.sha256Then, schedule hourly checks using cron (edit with sudo crontab -e) to verify these binaries:0 * * * * sha256sum -c /root/trusted.sha256 2>&1 | grep -v ": OK$" && echo "Checksum mismatch detected!" | mail -s "Security Alert" you@example.comFor Windows users, install the free, user-friendly security tool Wazuh, and enable its File Integrity Monitoring feature. It automatically alerts you if critical binaries like those in C:\Windows\System32 are unexpectedly changed or replaced.This quick, practical approach stops attackers from sneaking through unnoticed, greatly strengthening your overall security posture.ConclusionCybersecurity isn't just about technologyit's about understanding patterns, staying alert, and connecting the dots. As you finish this newsletter, ask yourself: which dot might become tomorrow's headline, and are you ready for it? Stay informed, stay curious, and keep connecting.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.