May 25, 2025

Cyber OSINT Overview, May 19 - May 25, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • Numerous critical vulnerabilities in widely used enterprise software, Industrial Control Systems (ICS), and web browsers were a primary focus, with advisories detailing flaws in products from Ivanti, SAP, Rockwell Automation, Schneider Electric, and Google Chrome. Many of these vulnerabilities, some with CVSS scores of 10.0, were reported as actively exploited, particularly by nation-state actors targeting critical infrastructure and government entities, leading to potential remote code execution, data exposure, and system compromise. This highlights the ongoing challenge of securing complex software supply chains and legacy systems.
  • The role of Artificial Intelligence in cybersecurity was heavily featured, with discussions on both its potential for misuse and its application in defense. Multiple agencies released guidelines for securing AI data and systems, such as the CISA-led international best practices guide and NIST’s work on AI CSF/RMF profiles. Concurrently, reports highlighted emerging threats like AI-generated voice clones for vishing, AI-crafted malware, and the exploitation of AI platforms for malicious content distribution, while also noting AI’s use in discovering zero-day vulnerabilities.
  • Significant international law enforcement operations marked major victories against cybercrime infrastructure. Operations like “Endgame” and the disruption of the Lumma Stealer (LummaC2) network involved collaboration between agencies such as Europol, the FBI, and private sector partners. These actions resulted in numerous arrests, indictments of key figures behind malware like Qakbot and DanaBot, and the takedown of hundreds of servers and domains used for ransomware deployment, info-stealing, and other malicious activities, along with seizure of substantial cryptocurrency assets.
  • Nation-state sponsored cyber activities, particularly from Russian and Chinese actors, continue to pose significant threats. Russian GRU (APT28) was reported targeting Western logistics and technology companies involved in aid to Ukraine, utilizing various TTPs including IP camera exploitation. Chinese APT groups (UNC5221, CL-STA-0048, TA-ShadowCricket, Kimsuky-related Larva-25004) were implicated in exploiting zero-days and other vulnerabilities in SAP, Trimble Cityworks, and Ivanti products to compromise critical infrastructure, government entities, and defense sector targets globally.

Critical Vulnerabilities

  • Multiple Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, including CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Code Injection), are being actively exploited. China-nexus threat actors are leveraging these flaws, which affect EPMM version 12.5.0.0 and earlier, to achieve unauthenticated remote code execution on exposed systems, targeting government agencies and other high-profile organizations worldwide. CISA has added these vulnerabilities to its KEV catalog, mandating urgent patching.
  • A critical remote code execution vulnerability (CVE-2025-31324, CVSS 10.0) in SAP NetWeaver’s Visual Composer Framework (version 7.50) is being actively exploited. The flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, leading to RCE and full system compromise. Chinese APT groups have been observed using this vulnerability to deploy web shells like helper.jsp and cache.jsp, and malware such as KrustyLoader, targeting critical infrastructure.
  • Google Chrome versions prior to 136.0.7103.113/.114 (Windows/Mac) and 136.0.7103.113 (Linux) are affected by an actively exploited vulnerability (CVE-2025-4664) in the Chrome Loader component. This flaw allows attackers to improperly influence referrer policies via Link headers, potentially leading to the theft of sensitive cross-origin information such as OAuth tokens or session identifiers if users visit malicious sites. CISA has added this to the KEV catalog, and users are urged to update their browsers immediately.
  • AutomationDirect MB-Gateway devices (all versions) are critically vulnerable (CVE-2025-36535, CVSS 10.0) due to a missing authentication for critical function (CWE-306) in the embedded webserver. This allows unrestricted remote access, potentially leading to configuration changes, operational disruption, or arbitrary code execution. Due to hardware limitations, AutomationDirect recommends replacing the MB-Gateway with EKI-1221-CE and implementing interim network security measures.
  • Schneider Electric’s Galaxy VS, VL, and VXL Uninterruptible Power Supply (UPS) systems are affected by a critical vulnerability (CVE-2025-32433, CVSS 10.0) in the underlying Erlang/OTP software. This flaw, a missing authentication for critical function (CWE-306) in the SSH server component, could allow unauthenticated remote code execution. Schneider Electric is developing a remediation plan and advises users to disable SSH/SFTP/SCP services or firewall port 22/TCP.
  • A critical authentication bypass vulnerability (CVE-2024-4631) in Trimble Cityworks was exploited as a zero-day by Chinese-speaking hackers (UNC5221, CL-STA-0048) to breach multiple U.S. local government bodies. Attackers deployed webshells and the KrustyLoader malware post-exploitation. Organizations using Trimble Cityworks should ensure they have applied relevant patches and investigate for signs of compromise.
  • CISA has added several other actively exploited vulnerabilities to its KEV catalog, requiring federal agencies to remediate them. These include CVE-2025-4632 (Samsung MagicINFO 9 Server Path Traversal), CVE-2024-11182 (MDaemon Email Server XSS), CVE-2025-27920 (Srimax Output Messenger Directory Traversal), CVE-2024-27443 (Synacor Zimbra Collaboration Suite XSS), and CVE-2023-38950 (ZKTeco BioTime Path Traversal). All organizations are strongly urged to prioritize patching these vulnerabilities.

Major Incidents

  • Commvault disclosed that nation-state actors targeted its Microsoft Azure-hosted applications, potentially accessing client secrets for its Metallic M365 backup SaaS solution. This could grant unauthorized access to customers’ M365 environments. CISA believes this activity might be part of a broader campaign against SaaS companies with default configurations and elevated permissions, and added a related Commvault vulnerability (CVE-2025-3928) to its KEV catalog. Commvault and CISA have provided mitigation guidance.
  • The Cetus Protocol, a decentralized finance (DeFi) exchange on the Sui blockchain, suffered a major exploit resulting in the theft of approximately $223 million in cryptocurrency. While the platform managed to “pause” $162 million of the compromised funds, a significant portion was moved by the attacker. The exploit was attributed to a vulnerability in a package used by the protocol, which has since been patched. Cetus is working with security firms and law enforcement and has offered a white-hat settlement and bounty.
  • Chinese-speaking hackers, identified as UNC5221 and CL-STA-0048, exploited a zero-day authentication bypass vulnerability (CVE-2024-4631) in Trimble Cityworks asset management software. This breach impacted multiple U.S. local government bodies, where attackers deployed webshells and the KrustyLoader malware for persistent access and potential data exfiltration. The vulnerability has since been patched by Trimble.
  • South Korean telecommunications giant SK Telecom disclosed a long-term data breach lasting nearly two years, since June 2022. The incident, attributed to the BPFdoor malware often linked to Chinese actors, resulted in the leakage of approximately 26.69 million International Mobile Subscriber Identity (IMSI) units and 9.82 gigabytes of USIM data. SK Telecom has implemented enhanced security measures, including a nationwide SIM replacement program.
  • An unprotected, unencrypted database containing 184 million unique login credentials, including usernames and plaintext passwords for major platforms like Microsoft, Facebook, and Google, was discovered publicly accessible. The 47GB dataset, likely harvested by infostealer malware, also included credentials for financial institutions and government portals across 29 countries. The hosting provider restricted access upon notification, but the data owner remains unidentified.
  • The FBI issued a warning about the Silent Ransom Group (SRG), also known as Luna Moth or UNC3753, targeting U.S. law firms for the past two years. The group uses callback phishing and social engineering, impersonating IT support to gain remote access via RMM tools. Once inside, they exfiltrate data using tools like WinSCP or Rclone and then extort victims, threatening to leak sensitive information if ransoms (ranging from $1-8 million) are not paid.
  • Multiple high-profile organizations reported cyberattacks or data breaches. These include fashion giant Dior (customer PII leak), cryptocurrency exchange Coinbase (1M customer PII exposed, $20M ransom demand), U.S. steel producer Nucor Corporation (production disruption), Alabama state government (communications disruption, employee credential compromise), and Global Crossing Airlines (flight records stolen by alleged hacktivists). Additionally, Russian private hospital Lecardo Clinic was hit by pro-Ukraine hacktivists (4B1D), leading to a shutdown and patient data theft, and the Australian Human Rights Commission (AHRC) had private documents exposed on search engines.

Emerging Threats

  • Russian GRU military unit 26165 (APT28/Fancy Bear) is conducting a cyber espionage campaign targeting Western logistics entities and technology companies, particularly those involved in aid to Ukraine. Tactics include credential guessing, spearphishing, exploitation of Microsoft Exchange vulnerabilities (e.g., CVE-2023-23397), and compromising internet-connected IP cameras to track aid deliveries. This campaign, active since at least early 2022, uses known TTPs and malware like HeadLace and Masepie.
  • The LummaC2 (Storm-2477) infostealer malware is being actively deployed against U.S. critical infrastructure sectors to exfiltrate sensitive data, including PII, financial credentials, cryptocurrency wallets, and MFA details. Attackers use spearphishing, fake CAPTCHA prompts, and malware embedded in spoofed software for delivery, employing obfuscation to bypass EDR and antivirus solutions. Despite recent infrastructure disruptions, CISA and the FBI urge continued vigilance.
  • Chinese-nexus threat actor groups are displaying sophisticated capabilities and persistence. TA-ShadowCricket (formerly Shadow Force) has been active since 2012 in the Asia-Pacific region, targeting Windows servers with IRC bots. Larva-25004 (Kimsuky-related) was observed using malware signed with a Nexaweb Inc. certificate in attacks likely targeting defense sector job seekers. These groups often exploit exposed remote access services and SQL servers.
  • Malware campaigns are increasingly leveraging social media platforms and legitimate services for distribution and C2. A campaign impersonating Kling AI used Facebook ads to lure victims to a fake website delivering infostealers disguised with double extensions and Hangul Filler characters. Another campaign utilized TikTok videos with AI-generated voices, instructing users to run PowerShell commands that install Vidar or StealC infostealers via ClickFix attack methods.
  • Threat actors are deploying novel malware that uses uncommon C2 communication channels and evasion techniques. One such malware uses the PyBitmessage library for encrypted P2P C2, distributed with a Monero coinminer, making detection difficult. Another, Winos v4.0, is a memory-resident stager delivered via a multi-layered “Catena loader” using NSIS installers and sRDI shellcode, primarily targeting Chinese-speaking environments with C2s in Hong Kong.
  • The software supply chain remains a vulnerable attack vector, with malicious packages frequently discovered in open-source repositories. Recently, 60 packages on NPM were found collecting sensitive host and network data, exfiltrating it to Discord webhooks. Separately, eight other NPM packages, present for two years with over 6,000 downloads, were identified as data wipers targeting popular JavaScript frameworks and Node.js.
  • The VanHelsing Ransomware-as-a-Service (RaaS) emerged in early 2025, targeting organizations primarily in the USA and France across Windows, Linux, BSD, ARM, and ESXi platforms. This multi-platform threat employs double extortion tactics, demanding ransoms up to $500,000 in Bitcoin. Its TTPs include phishing, exploitation of unpatched software, RDP compromise, WMI abuse, credential dumping, process injection, and the use of fast flux networks for C2 resiliency.

Regulatory and Policy Updates

  • CISA continues to update its Known Exploited Vulnerabilities (KEV) Catalog, adding several new flaws based on evidence of active exploitation, including vulnerabilities in Ivanti EPMM, Samsung MagicINFO, and Google Chrome. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by specified due dates to protect federal networks. CISA strongly urges all organizations to prioritize these KEVs.
  • International collaboration is strengthening AI security governance, with CISA, NSA, FBI, and partners from the UK, Australia, and New Zealand releasing a joint guide on AI data security best practices. This guide emphasizes protecting sensitive data throughout the AI lifecycle. Separately, the UK’s NCSC highlighted a new ETSI standard for AI system security, covering design, development, deployment, maintenance, and end-of-life stages.
  • Japan has enacted a new Active Cyberdefense Law, permitting law enforcement and the Self-Defense Forces to preemptively neutralize hostile servers before cyberattacks on critical infrastructure occur. This law allows for offensive cyber operations below the threshold of an armed attack, aiming to proactively defend national infrastructure. The move signifies a shift towards more assertive national cybersecurity postures.
  • The UK’s National Health Service (NHS) has issued a cybersecurity charter to its suppliers, urging them to sign up to best practices amid a growing and evolving cyber threat landscape. This initiative aims to bolster supply chain security within the healthcare sector, reflecting an increased focus on third-party risk management in critical industries. The move is an example of market incentives being used to promote secure-by-design principles.
  • U.S. Senators Mark Warner and James Lankford reintroduced the Federal Contractor Cybersecurity Vulnerability Reduction Act. This bipartisan legislation aims to require federal government contractors to implement vulnerability disclosure policies (VDPs) aligned with NIST standards, similar to obligations already in place for federal agencies. The goal is to enhance cybersecurity across the federal supply chain.
  • Bipartisan legislation, the Streamlining Federal Cybersecurity Regulations Act, was reintroduced in the U.S. Senate by Senators Gary Peters and James Lankford. The bill proposes establishing an executive branch panel, led by the Office of the National Cyber Director, to harmonize conflicting cybersecurity regulations imposed on the private sector by various federal agencies. This initiative seeks to reduce regulatory burden and improve compliance effectiveness.
  • The European Union has imposed new sanctions on 21 individuals and 6 entities, including Russian technology firms Stark Industries LLC and OCEANOSOFTWARE LTD. These measures target those involved in cyberattacks and hybrid threat campaigns, such as disinformation and foreign information manipulation, attributed to groups like APT28, APT31, Sandworm, and Ghostwriter, which have affected EU member states, associated countries, and Ukraine.

Security Operations

  • CISA, NSA, FBI, and international partners from Australia, New Zealand, and the U.K. jointly released “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems.” This guidance highlights data security’s critical role in AI trustworthiness and outlines risks and mitigation strategies across the AI lifecycle, including robust data protection, proactive risk management, and enhanced monitoring for organizations deploying AI.
  • NIST is actively working to integrate AI into cybersecurity frameworks by developing profiles for its Cybersecurity Framework (CSF) and AI Risk Management Framework (AI RMF). Additionally, NIST and CISA researchers are proposing a new metric called “Likely Exploited Vulnerabilities” (LEV) to improve vulnerability prioritization by predicting exploitation probability, complementing existing systems like KEV and EPSS.
  • Microsoft is enhancing identity management for AI by introducing Microsoft Entra Agent ID, which assigns identities to AI agents created within Microsoft Copilot Studio and Azure AI Foundry. This initiative aims to centralize agent and user management and is being developed in partnership with ServiceNow and Workday for automated provisioning of digital employee identities, extending Zero Trust principles to the agentic workforce.
  • The Metasploit Framework has received updates including performance improvements for faster loading and startup. New exploit modules have been added for several vulnerabilities: Ivanti Connect Secure RCE (CVE-2025-22457), Clinic’s Patient Management System RCE (CVE-2025-3096), Invision Community RCE (CVE-2025-47916), Nextcloud Workflows RCE (CVE-2023-26482), and Samsung MagicINFO 9 Server RCE (CVE-2024-7399). A new auxiliary module for Kerberoasting has also been included.
  • Signal has updated its Windows desktop application to block Microsoft’s new Recall feature by default due to privacy concerns. Windows Recall is an AI tool that periodically takes screenshots of user activity for later retrieval. Signal’s move aims to prevent this data collection within its app, highlighting ongoing tensions between user privacy and new AI-driven OS functionalities.
  • Google and FS-ISAC have launched the Financial Services Priority Flagger Program, a collaborative effort to accelerate fraud prevention and detection within the financial sector. This initiative aims to improve the speed and efficiency with which financial institutions can report and act upon fraudulent activities observed on Google’s platforms, enhancing the overall security posture for the industry.
  • CISA has issued numerous Industrial Control Systems (ICS) advisories covering vulnerabilities in products from Lantronix, Rockwell Automation, ABUP, National Instruments, Danfoss, Mitsubishi Electric, Siemens, Schneider Electric, AutomationDirect, Vertiv, and Assured Telematics. These advisories provide technical details and mitigation strategies for flaws that could impact critical infrastructure sectors, emphasizing the need for timely patching and defensive measures.

Wins

  • A significant international law enforcement effort, Operation Endgame, has disrupted major malware operations including DanaBot, Qakbot, Bumblebee, and Latrodectus (Lactrodectus). Coordinated by Europol and Eurojust, the operation involved authorities from the US, UK, Germany, France, and others, resulting in the takedown of over 300 servers, 650 domains, seizure of EUR 3.5 million in cryptocurrency, and 20 international arrest warrants. The US DOJ also unsealed indictments against 16 individuals for DanaBot and Rustam Gallyamov for Qakbot, seizing over $24 million in crypto from the latter.
  • The infrastructure of the prolific Lumma Stealer (LummaC2) infostealer malware has been significantly disrupted through a coordinated global operation involving the U.S. Department of Justice, Microsoft, Europol, and other international partners. This MaaS platform, responsible for an estimated 10 million infections and $36.5 million in credit card theft in 2023, had its central command, over 2,300 malicious domains, and marketplaces seized or suspended. This action aims to curtail a major tool used by various cybercriminals, including ransomware groups like Octo Tempest.
  • Operation RapTor, a global law enforcement initiative, resulted in the arrest of 270 individuals across ten countries involved in dark web illicit activities, primarily drug trafficking. Coordinated by Europol and the U.S. DOJ’s JCODE task force, the operation followed the takedown of several dark web marketplaces like Nemesis and Incognito. Authorities seized over €184 million ($200 million) in cash and crypto, alongside significant quantities of drugs and firearms.
  • Cloudflare successfully patched a request smuggling vulnerability (CVE-2025-4366) in its Pingora OSS framework within 22 hours of being notified. This flaw, present in the pingora-proxy and pingora-cache crates used by Cloudflare’s free CDN tier, could have allowed attackers to leak visitor URLs. Pingora OSS users are advised to upgrade to version 0.5.0 or later.
  • An individual involved in the January 2024 SIM-swapping attack that compromised the U.S. Securities and Exchange Commission’s (SEC) Twitter account, leading to a fake Bitcoin ETF approval announcement and market volatility, has been sentenced to 14 months in federal prison. Eric Council Jr. pleaded guilty to charges related to the hack and was ordered to forfeit $50,000.
  • Stalkerware applications Spyzie, Cocospy, and Spyic, along with other apps from FamiSoft Limited such as Teensafe, have been taken offline. This shutdown follows a February 2025 data breach that exposed sensitive data collected from victims’ devices and the email addresses of approximately 3.2 million customers who purchased the spyware.

Disclaimer

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is create in collaboration with BlackStork and is based on a free template available on GitHub.

Reach out if you have questions or suggestions.