May 1, 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

WordPress, Hidden Plugin, Admin Access, APT Tool, TheWizards, Spellbinder, IPv6 Spoofing, Nitrogen Ransomware, Malvertising, Cobalt Strike, Hive0117, Russian Firms, DarkWatchman, SonicWall Flaws, Secure Mobile Access, Ascension, Patient Data Theft, Clop, Third-Party Breach, UK, Co-op, IT Disruption, Poland, DDoS Attack, India, Rajasthan, Education Portal, Cyberattack, Inflammatory Messages, Japan, Kintetsu World Express, Ransomware Attack, US House of Representatives, Bill, Foreign Routers, OASIS, OpenEoX Framework, End of Life Product, FBI, Phishing Domains, LabHost, Polish Police, International Cyber Fraud, Tor Browser.

Listen to the full podcast

🚨 Cyber Alerts

1. Malware Hides in WordPress Security Plugin

A new malware campaign is covertly targeting WordPress sites through a malicious plugin disguised as a security tool. The plugin gives attackers full administrator access, remote code execution, and the ability to inject JavaScript, all while staying hidden from the dashboard. It reactivates automatically via a modified wp-cron.php file even if deleted, ensuring persistent control. Wordfence urges site owners to examine files like wp-cron.php and header.php for unexpected changes and to review access logs for suspicious parameters such as emergency_login and check_plugin.

2. Spellbinder Tool Used to Abuse App Updates

A China-linked APT group known as TheWizards was linked to a lateral movement tool named Spellbinder. The tool enables IPv6-based adversary-in-the-middle attacks that hijack DNS and software update mechanisms. It abuses updates from Chinese apps like Sogou Pinyin and Tencent QQ to deploy malware such as WizardNet. The malware campaign also involves Android-targeting payloads tied to a Chinese contractor, suggesting organized backing.

3. Nitrogen Ransomware Deploys Cobalt Strike

The Nitrogen ransomware campaign leverages deceptive malvertising strategies to infect organizations. Attackers distribute counterfeit software, like a fake “WinSCP” installer, through malicious ads on platforms like Bing. This triggers DLL sideloading that leads to the installation of ransomware and Cobalt Strike for lateral movement. Forensic analysis reveals sophisticated evasion techniques and highlights the need for improved defenses against such advanced threats.

4. Hive0117 Targets Russian Firms with Phishing

Hive0117, a financially-motivated cybercrime group, recently targeted Russian organizations in several sectors with a new phishing campaign. The group utilized a modified version of DarkWatchman malware, which was delivered through emails disguised as corporate correspondence. These emails, titled “Documents from 04/29/2025,” contained password-protected archive files that, once opened, triggered an infection chain installing the malware.

5. SonicWall Warns of Exploited Vulnerabilities

SonicWall has issued a warning about two actively exploited vulnerabilities in its SMA appliances. The vulnerabilities, CVE-2023–44221 and CVE-2024–38475, allow attackers to inject commands and gain code execution. These flaws affect several SMA models, including the 200, 210, 400, and 500v, and are patched in firmware version 10.2.1.14–75sv. SonicWall also confirmed the exploitation of a previous flaw, CVE-2021–20035, and urged customers to patch their devices immediately.

💥 Cyber Incidents

6. Ascension Data Breach Hits Patients Again

Ascension Health disclosed a data breach affecting over 100,000 individuals through a former business partner’s compromised system. Hackers exploited software vulnerabilities in Cleo’s file transfer platform used by the unnamed partner. The Clop ransomware group likely stole names, Social Security numbers, contact details, diagnoses, and inpatient records. The breach impacted patients in Alabama, Michigan, Indiana, Tennessee, and Texas. Notifications sent to authorities confirm more than 114,700 people were affected.

7. Co-operative Group Reports Cyber Incident

UK retail giant The Co-operative Group reported it took some IT systems offline after detecting attempted cyber intrusions. The company said it acted proactively to protect internal systems, which led to disruptions in back-office operations and call center services. Despite the attack, all Co-op retail stores remain fully operational, and customers are not being asked to take any special measures. While the company is working with the UK’s National Cyber Security Centre, it has not disclosed the nature of the attack or whether customer data was compromised.

8. Poland’s State Registers System DDoS Attack

Poland’s State Registers System was targeted by a DDoS attack yesterday morning, temporarily disrupting services. The cybercriminals aimed to paralyze key systems on a crucial day for tax submissions and public registrations. The Ministry of Digital Affairs confirmed the attack but assured that no security breaches occurred, and no personal data was compromised. Temporary difficulties affected services like mObywatel, tax settlements, and car registrations, but all services are now operational. The Cyber Police and the Internal Security Agency are actively investigating the incident, with officials noting that Poland faces frequent cyberattacks, often from Russian sources.

9. Rajasthan Education Portal Under Cyberattack

The official portal of Rajasthan’s Education Department in India was targeted in a cyberattack, with hackers posting inflammatory messages under the name “Pakistan Cyber Force.” One of the messages claimed the Pahalgam terror attack was an inside job, accusing the Indian government of staging a false flag operation to incite conflict. Following the breach, the website was taken down, and the Education Minister assured that cybersecurity efforts were underway, with no confirmed data leakage but ongoing audits to ensure security.

10. Kintetsu World Express Ransomware Attack

Kintetsu World Express (KWE), a prominent Japanese logistics firm, recently confirmed a ransomware attack that caused service disruptions. The Tokyo-based company, known for its global freight forwarding services, has not yet identified the cybercriminals behind the attack. While KWE is working on restoring its systems, it has assured customers that they will be notified if their data has been compromised. This attack comes a year after a breach by a hacker group, raising concerns about the growing cybersecurity threats targeting Japanese companies across various sectors.

📢 Cyber News

11. US Advances Bill to Assess Router Security

The US House of Representatives passed the ROUTERS Act, focusing on security risks from foreign-made routers. The bill mandates the Commerce Department to investigate networking equipment from adversarial nations, with a focus on China. It aims to protect US communication systems from vulnerabilities exploited in cyberattacks. The act follows increasing concerns about the role of routers in cyber intrusions by state-backed act

12. Oasis Propose Standardize Product Lifecycles

A coalition of tech giants including Cisco, Microsoft, and IBM has introduced OpenEoX. This draft framework aims to standardize end-of-life (EoL) notices for software and hardware products. By defining four key lifecycle milestones, OpenEoX hopes to make security patch tracking more consistent and automated. The initiative, which is still in early stages, seeks public feedback before finalizing the proposal into a formal standard.

13. FBI Dismantled LabHost’s PhaaS Network

The FBI dismantled LabHost’s phishing-as-a-service network, uncovering 42 000 malicious domains used from 2021 to 2024. The PhaaS platform let criminals impersonate banks, government sites, and streaming services to harvest credentials and credit card data. Investigators estimate over one million victims fell prey to LabHost schemes, which also supported smishing and real-time 2FA interception. The FBI advises reviewing logs for domain connections, blacklisting indicators of compromise, and reporting threats to local field offices.

14. Polish Police Dismantle Cybercrime Group

Polish police dismantled a transnational cybercrime group accused of defrauding at least 55 victims out of $665,000. The suspects, aged 19 to 51, allegedly posed as bank representatives and law enforcement officers, using spoofed phone numbers to gain victims’ trust and redirect funds to fraudulent accounts. The operation, active since April 2023, reportedly involved suspects from Ukraine, Georgia, Moldova, and Azerbaijan, with some converting the stolen funds into cryptocurrency. Authorities confirmed that 46 additional individuals had already been charged, and with pre-trial detentions and travel bans in place, the investigation continues and may result in further arrests.

15. Tor Browser 14.5.1 Security Update

The Tor Project has released Tor Browser 14.5.1, a significant update focusing on enhanced security and privacy for users across all supported platforms. This release incorporates crucial security updates backported from the latest Firefox versions, addressing potential vulnerabilities and strengthening protection against surveillance and censorship. Key improvements include updating Firefox and GeckoView to version 128.10.0esr, streamlining the update process, and refreshing anti-censorship measures. Users on desktop now default to the Tor Browser Home page on new tabs, and a letterbox sizing bug has been fixed. The Tor Project encourages user feedback and strongly advises updating to this latest version to benefit from these important security enhancements.