• Umer Wajih
• May 13, 2025
• No Comments

Threat Landscape Summary (May 5 – May 12, 2025)

Executive Summary

This report provides an analysis of the cybersecurity threat landscape observed between May 5th and May 12th, 2025. The analysis highlights the continued dominance of ransomware operations, the emergence of new and evolving malware families, and the persistent exploitation of critical software vulnerabilities. Nation-state actors and hacktivist groups also maintained a notable presence, contributing to a complex and dynamic threat environment. Organizations must remain vigilant and adopt proactive defense strategies informed by timely and accurate threat intelligence to effectively mitigate these evolving risks.

Key observations include:

• Ransomware Dominance: Play ransomware led attack volumes (19.28% of incidents), followed by Akira (14.46%) and Qilin (9.64%), with emerging threats including Gunra and LockZ
• Evolving Attack Methods: Increased adoption of double-extortion tactics, with anticipation of triple-extortion strategies incorporating DDoS attacks and backup destruction
• Nation-State Activity: Iranian group Lemon Sandstorm maintained long-term intrusions into critical infrastructure, North Korean Kimsuky group employed new PowerShell techniques, and Chinese malware was discovered on Latin American networks
• Critical Vulnerabilities: Active exploitation of CVE-2025-34028 in Commvault Command Center, CVE-2025-27007 in WordPress plugins, “AirBorne” vulnerabilities in Apple’s AirPlay, and Windows CVE-2025-29824

Organizations must prioritize timely patching, enhance detection capabilities, and maintain comprehensive backup strategies to defend against these evolving threats.

1. Ransomware Landscape

1.1 Attack Distribution

The ransomware ecosystem remains highly active with established threat actors maintaining operations alongside emerging groups. The distribution of ransomware attacks during the reporting period is as follows:

Ransomware Group	Percentage of Incidents	Key Targeting Focus
Play	19.28%	MSPs, Hybrid Environments
Akira	14.46%	Professional Services, Infrastructure
Qilin	9.64%	International Victims
Sarcoma	4.82%	Various Industries
Rhysida	3.61%	Education Sector
LockBit3	3.61%	Enterprise Systems
Everest	3.61%	ESXi Environments
Devman	3.61%	Various Industries
Monti	2.41%	Various Industries
RansomHouse	2.41%	Various Industries
Hunters	2.41%	Various Industries
Lynx	2.41%	Various Industries
Interlock	2.41%	Healthcare Sector
Others/Emerging	25.53%	Various Industries

1.2 Emerging Ransomware Threats

Two notable new ransomware families were identified during this reporting period:

• Gunra: Based on leaked Conti source code and first identified in April 2025, employs double-extortion tactics combining data encryption with sensitive data theft
• LockZ: Recently discovered ransomware with enhanced evasion capabilities

1.3 Evolving Tactics

Significant tactical developments observed include:

• Double-Extortion Evolution: Widespread adoption of tactics combining encryption with data theft
• Triple-Extortion Projection: Intelligence suggests future escalation to include DDoS attacks and backup destruction
• Social Engineering Integration: Groups like Interlock, incorporating ClickFix social engineering alongside infostealers
• Fake Browser/Security Updates: Increased use of fraudulent update prompts for initial access
• False Claims Strategy: Groups like Babuk-Bjorka and FunkSec making fake victim claims to hinder attribution

1.4 Impact Trends

• 126% year-on-year increase in ransomware attacks (Q1 2025)
• Decreasing total ransom amounts paid despite increased attack volume
• Critical infrastructure impacts highlighted by healthcare conglomerate attack affecting 200+ hospitals in South Asia

2. Malware Analysis

2.1 Newly Identified Threats

Malware	Type	Primary Function	Distribution Method
ZPHP	Dropper	Malware Delivery	Compromised Websites
TerraStealerV2	Infostealer	Credential/Crypto Theft	LNK, MSI, DLL, EXE Files
TerraLogger	Keylogger	Keystroke Logging	LNK, MSI, DLL, EXE Files
LOSTKEYS	Espionage	Intelligence Collection	ClickFix Social Engineering
GhostWeaver	RAT	Remote Access	Phishing via MintLoader
AgeoStealer	Infostealer	Credential Theft	Fake Video Game

2.2 Prevalent Malware Families

Check Point Research’s malware spotlight for May 2025 highlighted the continued prevalence of established malware families, including:

• FakeUpdates
• Remcos
• AgentTesla
• Phorpiex
• Rilide
• Mirai
• Qilin
• Akira
• Anubis

2.3 Supply Chain Concerns

• NPM Packages: Malicious packages targeting Cursor code editor users, implanting backdoors and stealing credentials
• PyPI Repository: Malicious package disguised as Discord containing a fully functional Remote Access Trojan
• WordPress Plugin: Fake security plugin enabling remote administrator access

3. Critical Vulnerabilities

3.1 Actively Exploited Vulnerabilities

CVE	Affected System	Severity	Impact	Status
CVE-2025-34028	Commvault Command Center (v11.38.0- 11.38.19)	Critical	Unauthenticated RCE via Path Traversal	Active Exploitation, Added to CISA KEV
CVE-2025-27007	OttoKit WordPress Plugin (100K+ installations)	High	Privilege Escalation	Active Exploitation
CVE-2025-29824	Microsoft Windows CLFS Driver	High	Privilege Escalation	Zero-Day Exploitation by Play Ransomware

3.2 High-Impact Vulnerabilities

CVE	Affected System	Severity	Impact	Status
CVE-2025-24252 + CVE-2025-24206 (“AirBorne”)	Apple AirPlay Protocol	Critical	Zero-Click RCE + Authentication Bypass	Patched, Wormable Potential
CVE-2025-31191	macOS	High	Sandbox Escape	Patched March 2025

4. Threat Actor Activities

4.1 Nation-State Threat Actors

4.1.1 Lemon Sandstorm (Iran)

• Also Known As: Rubidium, Parisite, Pioneer Kitten, UNC757, Fox Kitten
• Activity: Maintained long-term intrusion (~2 years) into Middle Eastern critical infrastructure
• Tactics: Exploited VPN vulnerabilities, deployed custom backdoors (HanifNet, HXLibrary, The)
• Targeting: Aerospace, oil/gas, water, and electric sectors across the US, Middle East, Europe, and Australia

4.1.2 Kimsuky (North Korea)

• Also Known As: Emerald Sleet, Velvet Chillima
• Activity: New PowerShell-based attack methodology, Operation Larva-24005
• Tactics: Social engineering, impersonation, malicious documents, living-off-the-land tools
• Targeting: Government organizations in South Korea and Japan, intelligence focus on Korean peninsula and nuclear policy

4.1.3 Chinese Threat Actors

• Activity: Malware implanted on partner networks in multiple Latin American nations
• Group Profile: UNC5174 identified as highly stealthy Chinese espionage group
• Tactics: Utilization of open-source tools to blend into targeted networks

4.2 Cybercriminal Groups

4.2.1 Golden Chickens / Venom Spider

• Operating Model: Malware-as-a-Service (MaaS) provider
• Clients: FIN 6, Cobalt Group, Evilnum
• New Tools Deployed: TerraStealerV2 (credential/crypto theft) and TerraLogger (keylogging)
• Tactics: Multiple distribution methods, Windows utility abuse for evasion

4.2.2 Play Ransomware Group

• Activity: Zero-day exploitation of CVE-2025-29824
• Targeting: US-based organization

4.2.3 COLDRIVER (Russia-linked)

• Activity: Distribution of LOSTKEYS malware
• Tactics: ClickFix-like social engineering lures
• Objective: Espionage campaign

4.3 Hacktivist Groups

4.3.1 NoName057(16) (Pro-Russian)

• Activity: DDoS attacks against Romanian government websites during elections
• Additional Targets: Dutch and European organizations supporting Ukraine
• Sectors Targeted: Government, law enforcement, banking/financial services, telecommunications, energy/utilities
• Tools: DDoSia tool, volunteer network for distributed attacks

5. Notable Security Incidents

5.1 Public Sector Incidents

Date	Organization	Location	Incident Type	Threat Actor	Impact
May 4, 2025	Romanian Government Sites	Romania	DDoS	NoName057(16)	Service disruption during elections
Apr 2025	Texas HHSC	USA	Data Breach	Insider Threat	33,529 program enrollees’ personal/health information
Apr 29, 2025	National Public Data	USA	Data Breach	USDoD	2.9 billion individuals’ records (PII)
May 5, 2025	Fowler School District	USA	Ransomware	Interlock	~400 GB of student and staff records
May 2025	U.S. State Government Agency	USA	Cyber Intrusion	Unknown	Unknown
May 2025	Consumer Financial Protection Bureau	USA	Data Leak	Former Employee	~256,000 consumers’, 45 financial institutions’ data

5.2 Financial Services Incidents

Date	Organization	Location	Incident Type	Threat Actor	Impact
May 2025	DBS Group and Bank of China	Singapore	Data Breach	Third-party (Toppan Next Tech)	~8,200 client statements (DBS), customer info (BoC)
May 2025	Bank Sepah	Iran	Data Breach	Unknown	Sensitive financial data affecting military and government sectors
May 2025	SogoTrade, Inc.	USA	Data Breach	Unknown	Names, financial account numbers, SSNs, tax IDs

5.3 Healthcare Sector Incidents

Date	Organization	Location	Incident Type	Threat Actor	Impact
Apr 2025	Yale New Haven Health System	USA	Data Security Incident	Unknown	~5.6 million patients’ data potentially affected
Apr 2025	Onsite Mammography	USA	Cyberattack	Unknown	>350,000 individuals’ data
May 2025	Esse Health	USA	Cyber Attack	Unknown	Disruptions to healthcare services
May 2025	Genea Fertility Clinic	Australia	Information Leak	Unknown	Personal details, Medicare numbers, medical histories
Feb 2025	Bell Ambulance, Inc.	USA	Data Breach	Unknown	114,000 individuals’ data

5.4 Other Significant Incidents

Date	Organization	Location	Incident Type	Threat Actor	Impact
May 9, 2025	Hamilton County Sheriff’s Office	USA	Data Breach	Qilin	Unknown
May 5, 2025	Global Crossing Airlines Group	USA	Cyber Attack	Unknown	Unknown
May 2025	Hitachi Vantara	Japan	Cyber Attack	Akira Ransomware	Files allegedly stolen
May 2025	Nova Scotia Power	Canada	Cyber Attack	Unknown	Disrupted customer service and online access
May 2025	Co-op, Harrods, Marks & Spencer	UK	Cyber Attack	Unknown	Operational disruption, suspended online services
Dec 2024	PowerSchool	USA, Canada	Data Breach	Unknown	62.4M students’, 9.5M educators’ data

6. Recommendations

6.1 Immediate Actions

• Patch Critical Vulnerabilities: Prioritize CVE-2025-34028 (Commvault), CVE-2025-27007 (WordPress OttoKit), and CVE-2025-29824 (Windows CLFS)
• Update Apple Devices: Apply latest security updates to address “AirBorne” vulnerabilities
• Enhance Email Security: Implement additional phishing protection against social engineering, particularly ClickFix-style attacks
• Review Supply Chain: Audit third-party software components, especially NPM packages, WordPress plugins, and Python libraries

6.2 Strategic Mitigations

• Ransomware Readiness: Update incident response playbooks to address double/triple extortion tactics
• Data Protection: Implement 3-2-1 backup strategy (3 copies, 2 different media types, 1 offsite)
• Network Segmentation: Isolate critical systems and apply zero trust principles
• Authentication Hardening: Implement multi-factor authentication across all systems, particularly VPNs and remote access points
• Threat Hunting: Proactively search for indicators of compromise related to Lemon Sandstorm, Kimsuky, and UNC5174

6.3 Sector-Specific Guidance

Healthcare Organizations

• Enhance security monitoring for Interlock ransomware activity
• Review third-party access controls and data sharing agreements

Financial Services

• Implement enhanced monitoring for credential theft tools, particularly TerraStealerV2
• Review customer data protection policies and incident response procedures

Government Agencies

• Prepare for potential hacktivist activity from NoName057(16), particularly DDoS attacks
• Enhance insider threat monitoring and detection capabilities

7. Analyst Notes

The threat landscape continues to evolve rapidly, with several concerning trends emerging during this reporting period:

1. Ransomware Ecosystem Maturity: The stability in ransomware group percentages suggests mature operations with specialized toolsets and target selection criteria, indicating a professionalized criminal landscape.
2. AI Integration Projection: The predicted emergence of agentic AI ransomware could fundamentally alter attack speeds and effectiveness, potentially overwhelming traditional defense mechanisms.
3. Supply Chain Risk Elevation: The discovery of multiple malicious components across different software ecosystems (npm, PyPI, WordPress) highlights the increasing focus on supply chain as an attack vector.
4. Nation-State Persistence: The two-year intrusion maintained by Lemon Sandstorm demonstrates the sophisticated persistence capabilities of nation-state actors targeting critical infrastructure.
5. Declining Ransom Payments: Despite increased attack volume, the reduction in total ransoms paid suggests improving organizational resilience and potential shifts in attacker focus toward smaller targets.

While the overall threat landscape remains challenging, the enhanced focus on critical infrastructure protection, improved incident response capabilities, and growing reluctance to pay ransoms provide encouraging indicators of organizational adaptation.

CONTACT INFORMATION

For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.

• Website: www.meraal.me
• Email: Office@meraal.me , Naveed@meraal.me
• Phone: +92 42 357 27575, +92 323 497 947

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.