- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (19 – 26 May, 2025)
The week of May 19-26, 2025, witnessed significant law enforcement successes against major cybercriminal operations, particularly impacting malware distribution networks. Microsoft announced a major takedown of the Lumma Stealer infrastructure, seizing over 2,300 domains and disrupting its command structure. This coincided with Europol’s “Operation Endgame 2.0,” which neutralized 300 servers and 650 domains linked to several prominent malware strains, including Bumblebee and Qakbot. Despite these notable achievements, new critical vulnerabilities, especially in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver, saw active exploitation, emphasizing the persistent challenge of patching and secure configuration. Ransomware activity, while impacted by takedowns, continued to target various sectors, with notable incidents affecting healthcare and education. The pervasive use of Artificial Intelligence (AI) by both attackers and defenders remains a central theme, with AI-driven social engineering and automated malware evasion techniques posing escalating risks.
Organizations must remain highly vigilant, prioritizing rapid patching of known exploited vulnerabilities, strengthening identity and access management, and enhancing employee awareness against sophisticated social engineering tactics. The disruption of Malware-as-a-Service (MaaS) platforms may offer a temporary reprieve, but is unlikely to halt the overall threat evolution, as threat actors rapidly adapt their strategies.
Ransomware continues to be a dominant threat, characterized by evolving Tactics, Techniques, and Procedures (TTPs) and a discernible shift towards more disruptive and financially motivated attacks. The landscape is increasingly defined by “double extortion” tactics, where attackers not only encrypt data but also exfiltrate sensitive information, threatening its public release if ransom demands are not met. An even more aggressive approach, termed “quadruple extortion,” has emerged, where threat actors demand ransom for decrypting data, preventing data leaks, halting Distributed Denial-of-Service (DDoS) attacks, and even returning stolen credentials.
While global ransomware incidents reportedly declined in April 2025, falling to 450 from 564 in March, marking the lowest level since November 2024, the overall volume in early 2025 remains notably higher than in previous years. This suggests a recalibration or temporary shift in activity rather than a sustained decrease in threat. Prolific groups like Cl0p and RansomHub continued to dominate the first quarter of 2025, demonstrating significant impact. Concurrently, new groups such as Gunra, which surfaced in April 2025, and BlackLock, identified in March 2024, have rapidly emerged and gained prominence, with BlackLock showing a staggering 1,425% surge in activity in the last quarter of 2024.
The resilience of the ransomware ecosystem, despite high-profile takedowns, is a critical observation. Law enforcement operations, such as “Operation Endgame 2.0,” explicitly targeted major malware distribution networks and initial access brokers, neutralizing hundreds of servers and domains. Similarly, Microsoft announced a significant takedown of the Lumma Stealer infrastructure, seizing over 2,300 domains and disrupting its central command structure. These actions are designed to dismantle cybercriminal operations and their supporting infrastructure. However, the continued high volume of attacks and the rapid emergence of new groups and variants, as evidenced by BlackLock’s exponential growth and Gunra’s rapid appearance, indicate that while law enforcement can effectively disrupt specific malware families or groups, the underlying Ransomware-as-a-Service (RaaS) model and the robust financial incentives for cybercriminals foster rapid adaptation. The ecosystem demonstrates significant resilience, with new variants and affiliates quickly filling the operational voids created by successful takedowns. This dynamic suggests that the “business” of ransomware is highly adaptable and capable of swift evolution. Therefore, organizations cannot rely solely on the success of law enforcement operations for their security posture. Instead, they must maintain continuous, proactive defense strategies that are adaptable to evolving threats, recognizing that the threat landscape will rapidly reconfigure itself even after major disruptions.
Artificial Intelligence (AI) presents a complex challenge and opportunity, significantly impacting both offensive and defensive cybersecurity strategies.
On the offensive side, threat actors are increasingly leveraging AI to augment their capabilities. This includes automating reconnaissance, accelerating exploit development, and crafting highly convincing phishing emails, voice clones, and deepfake videos. The integration of AI tools into attack frameworks enhances the scale and speed of intrusions, making social engineering attacks more sophisticated and difficult to detect. For instance, reports indicate that 40% of detected Business Email Compromise (BEC) messages in July 2024 were created by AI, and deepfake scams have already resulted in significant financial losses.
Conversely, AI is becoming a critical line of defense in cybersecurity. It is improving threat prioritization, increasing Security Operations Center (SOC) efficiency, and accelerating threat analysis. AI-powered tools help identify patterns that signal impending threats and enable preemptive security measures. For example, 56% of organizations report that AI has improved their ability to prioritize threats and vulnerabilities, and 51% indicate increased SOC efficiency. However, significant challenges persist in the adoption of AI for defense. Many organizations struggle with integrating AI security technologies with legacy systems, citing complexity and interoperability issues as major barriers. Furthermore, applying AI-based controls consistently across the entire enterprise remains a hurdle.
A critical observation is the widening AI preparedness gap within organizations. Multiple reports highlight that a large percentage of organizations (72-75%) are experiencing increased cyber risks, with generative AI explicitly identified as fueling more sophisticated social engineering and ransomware attacks. This indicates a clear recognition of AI’s growing role in cyber threats. However, despite this high awareness, a significant disconnect exists in practical implementation. While 66% of organizations acknowledge AI as the biggest cybersecurity game-changer, only a minority (37%) have established safeguards to assess AI tools before integrating them into their operations. Moreover, a substantial portion (52%) of respondents warn that without preemptive AI, attackers will succeed in launching targeted attacks at unprecedented speed and scale. This disparity reveals a critical lack of preparedness. Organizations are aware of the AI-driven threat but are lagging in implementing the necessary AI-powered defenses and governance frameworks. This unchecked adoption of AI without adequate security measures effectively widens their attack surface and increases their vulnerability to AI-augmented threats, creating a self-inflicted risk. This gap is likely to exacerbate existing cyber inequity, particularly affecting smaller organizations and public sector entities that often lack the resources and expertise for advanced AI defense. To mitigate this, organizations must not only invest in AI-driven security solutions but also prioritize comprehensive training and policy development to ensure secure and effective AI integration.
The increasing complexity of supply chains and a growing reliance on third-party vendors continue to pose significant cybersecurity risks. Cloud environments, despite their benefits, remain primary targets due to common misconfigurations, API vulnerabilities, and identity mismanagement. These factors create expanded attack surfaces that threat actors actively exploit.
A significant observation is how supply chain vulnerabilities act as a force multiplier for attackers. A high percentage of large organizations (54%) identify supply chain challenges as a major barrier to cyber resilience, specifically citing complexity and lack of visibility into suppliers’ security practices. This points to a systemic weakness that attackers readily leverage. For instance, the Procolored incident demonstrated how malware-infected software drivers, distributed through a seemingly legitimate file-sharing database, could lead to widespread infections among customers. Similarly, the exploitation of critical SAP NetWeaver vulnerabilities (CVE-2025-31324 and CVE-2025-42999) by multiple China-based threat groups resulted in the compromise of 581 critical systems globally. These examples illustrate that supply chain vulnerabilities are not merely isolated entry points but act as force multipliers for attackers. By compromising a single vendor or a widely used software component within the supply chain, threat actors can gain access to and impact a vast number of downstream organizations simultaneously. This creates a “ripple effect” of breaches, significantly amplifying the scale of an attack. Therefore, organizations must extend their security assessments and controls beyond their immediate perimeter. This necessitates rigorous third-party risk management, continuous monitoring of software dependencies, and a deep understanding of the security posture of all components within their digital supply chain to prevent widespread compromise.
The week of May 19-26, 2025, saw a diverse range of cyber incidents and further disclosures of past breaches, underscoring the pervasive and long-lasting nature of cyber threats across various sectors globally.
Beyond new incidents, several significant data breaches from earlier periods had new developments or were publicly disclosed during this week, underscoring the prolonged consequences of cyber compromises.
The persistent and evolving impact of past compromises is a crucial takeaway. The Vastaamo breach, which occurred in 2020, is still seeing legal and investigative developments in May 2025, with a second suspect named. This demonstrates that the repercussions of a cyberattack can extend for many years, highlighting the long tail of cyber incidents. The PowerSchool case further illustrates this, with renewed extortion attempts in May 2025, even after the company had reportedly paid the initial ransom. This scenario underscores that paying a ransom does not guarantee data deletion or prevent future re-extortion, and it can lead to significant operational changes, such as North Carolina discontinuing its use of PowerSchool due to security concerns. These cases collectively illustrate that cyber incidents are not isolated, short-term events. They have prolonged, multi-faceted impacts that can include ongoing legal proceedings, re-victimization through renewed extortion, and significant operational changes. The data also points to the systemic risk introduced by third-party services, as seen with TeleMessage using AWS, and widely adopted enterprise software like SAP NetWeaver, where a single compromise can ripple across numerous organizations. Therefore, incident response and recovery strategies must be comprehensive and long-term, extending beyond immediate containment to include legal preparedness, continuous monitoring for re-extortion, and rigorous vetting of third-party vendors. Organizations must understand that their security posture is intrinsically linked to the security of their supply chain and the software they utilize.
The following table provides a concise overview of notable security incidents reported during the week of May 19-26, 2025:
Table: Notable Security Incidents (May 19-26, 2025)
| Affected Entity | Location | Type of Incident | Date Reported | Brief Description/Impact |
| Tickify (ticketing platform) | Dhaka, Bangladesh | Cyber attack | May 25, 2025 | Affected sales for a qualifying match between Bangladesh and Singapore for the AFC Asian Cup. |
| Canton du Valais | Sion, Switzerland | Cyberattack | May 22, 2025 | Attack on the website of a Swiss canton. |
| Landratsamt Bodenseekreis | Friedrichshafen, Germany | Cyber attack | May 21, 2025 | Attack on the mobile devices of the district administration. |
| Département Hauts-de-Seine | Nanterre, France | Cyber attack | May 20, 2025 | Attack on a department administration. |
| Kettering Health | Kettering, Ohio, USA | Cyber attack | May 20, 2025 | System-wide technology outage, disrupting patient portals, phones, and elective procedures. |
| Maison Liégeoise | Liège, Belgium | Cyber attack | May 19, 2025 | Attack on a housing association. |
| Teatro Castro Alves | Salvador, Brazil | Instagram account hacked | May 19, 2025 | The Instagram account of a theater was compromised. |
| Noroeste Media | Culiacán, Mexico | DDoS attack | May 19, 2025 | A media company was affected by a Distributed Denial-of-Service attack. |
| Union County | Marysville, Ohio, USA | Cyber incident | May 18, 2025 | Cyber incident affecting a county government. |
| Vastaamo Data Breach | Finland | Data Breach (Ongoing) | May 19, 2025 (New Suspect) | Second suspect named in 2020 mental health records breach; case to be submitted to prosecutors. |
| SogoTrade, Inc. | Chesterfield, Missouri, USA | Data Breach (Disclosure) | May 2025 | Disclosure of May 2024 breach exposing financial account numbers, SSNs, and tax IDs. |
| PowerSchool | U.S. & Canada (Schools) | Data Breach (Re-extortion) | May 2025 | Attackers resumed extortion attempts, exposed student/educator data; North Carolina to stop use. |
| TeleMessage | US Government Officials (AWS-hosted) | Data Breach | May 2025 | Compromise of Signal app for US officials; exposed unencrypted message fragments, contacts. |
| SAP NetWeaver | Global | Vulnerability Exploitation | May 2025 | China-based groups exploited CVE-2025-31324/42999, breaching 581 critical systems. |
The period of May 19-26, 2025, featured significant developments in the malware landscape, including a major law enforcement takedown and the emergence of new, sophisticated campaigns.
On May 21, 2025, Microsoft, in coordination with global law enforcement agencies including the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Centre (JC3), announced a major takedown operation against Lumma Stealer.
Lumma Stealer operates as a “Malware-as-a-Service” (MaaS), a model that facilitates its widespread distribution and makes it difficult for traditional security defenses to detect. This characteristic makes it a favored tool for cybercriminals seeking to steal data. The malware is specifically designed to exfiltrate sensitive information from popular web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge. This stolen data includes cryptocurrency wallets, credit card details, bank account information, and passwords. First discovered in 2022, Lumma Stealer has also been linked to ransomware attacks and breaches of school security systems. Microsoft identifies it as one of the “leading tools” used by cybercriminals worldwide for large-scale information and money theft.
Lumma Stealer is frequently deployed through spear-phishing emails, malvertising, and by impersonating trusted brands, including Microsoft itself. Recent campaigns observed in November 2024 and earlier in 2025 utilized deceptive lures such as fake AI video tools (e.g., EditPro) and phishing campaigns impersonating popular online travel agencies like Booking.com, all aimed at financial theft and fraud. The impact of this takedown operation was substantial. Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows PCs worldwide that had been infected by Lumma malware. The takedown successfully seized more than 2,300 domains that formed the backbone of Lumma’s infrastructure and disrupted its central command structure and underground marketplaces where the malware was being sold.
ELPACO-team ransomware, identified as a variant of Mimic ransomware, was observed in an attack that culminated in its deployment approximately 62 hours after initial compromise. This ransomware often spreads laterally via Remote Desktop Protocol (RDP) and Server Message Block (SMB).
Initial access for this group was gained by exploiting a known template injection vulnerability (CVE-2023-22527) on an internet-facing Atlassian Confluence server, which allowed for remote code execution and the deployment of a Metasploit payload. The group’s TTPs are extensive and include using AnyDesk for remote access, creating new local administrator users (e.g., “noname” with password “Slepoy_123”), and attempting to exploit the Zerologon vulnerability (CVE-2020-1472) for privilege escalation. They leveraged tools such as Mimikatz, ProcessHacker, and Impacket’s Secretsdump for credential harvesting, enabled RDP, and disabled Windows Defender for defense evasion. Network scanning and SMB share enumeration were also observed as part of their reconnaissance and lateral movement. The impact of ELPACO-team ransomware includes the encryption of files, which are then appended with the ELPACO-team extension. The group also created MIMIC_LOG.txt and session.tmp files and made attempts to halt virtual machine (VM) operations. Actionable Indicators of Compromise (IOCs) identified include specific network IPs (45.227.254.124, 91.191.209.46) and numerous file hashes (SHA256).
The Russia-linked threat actor COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto, is distributing a new information stealer called LOSTKEYS. This malware is spread using ClickFix-like social engineering lures, specifically fake CAPTCHA verification prompts designed to trick users into manually copying and pasting malicious PowerShell commands into their terminals.
LOSTKEYS, which is a VBS script, is designed to steal sensitive files from hard-coded lists of extensions and directories, collect system information, and list running processes. It also aims to steal account credentials, emails, and contacts. COLDRIVER’s operations are strategically aligned, targeting NATO governments, Non-Governmental Organizations (NGOs), current and former Western government advisors, militaries, journalists, and think tanks, with the overarching goal of collecting sensitive information that aligns with Russian strategic objectives.
A new campaign, first detected in February 2025, utilizes fake software installers, masquerading as popular tools like LetsVPN and QQ Browser, to deliver the Winos 4.0 framework. This malware was among those impacted by Operation Endgame, suggesting a temporary disruption to its distribution network.
A digital printing solutions provider, Procolored, was found to have offered software drivers infected with multiple malware strains. This included new, previously undetected versions capable of modifying executable files and self-replicating within a network. This discovery highlights a significant and often overlooked supply chain risk, where seemingly legitimate software can become a vector for widespread compromise.
The adaptability and diversification of malware distribution and persistence mechanisms are evident. While major law enforcement operations successfully disrupted the infrastructure of malware like Lumma Stealer and Winos 4.0, the overall volume of attacks and the emergence of new threats persist. This indicates that threat actors rapidly pivot when one avenue is closed or becomes less effective. The diverse initial access vectors observed include spear-phishing, malvertising, brand impersonation (Lumma Stealer), highly deceptive ClickFix social engineering with fake CAPTCHAs and PowerShell commands (COLDRIVER), exploitation of known vulnerabilities in public-facing applications (ELPACO-team), and crucially, malware distribution through seemingly legitimate software drivers (Procolored). The widespread use of “living off the land” techniques, such as leveraging PowerShell in ClickFix campaigns, and custom backdoors further enhances their stealth and persistence, making detection more challenging. This means that merely blocking known malware signatures is insufficient for robust defense; understanding and defending against the methods of delivery and persistence is paramount. Organizations must implement multi-layered and adaptive defenses. This includes not only technical controls such as rapid patching, advanced Endpoint Detection and Response (EDR), network segmentation, and application whitelisting, but also continuous, robust security awareness training for employees. Training should specifically cover recognizing sophisticated social engineering lures, suspicious downloads, and the dangers of executing untrusted commands, as the “human element” remains a critical and frequently exploited vulnerability.
The following table summarizes key malware campaigns and takedowns during the reporting period:
Table: Key Malware Campaigns & Takedowns (May 19-26, 2025)
| Malware Name | Associated Threat Actor(s) | Description/Functionality | Distribution Methods | Key TTPs | Impact/Status | Identified IOCs (Sample) |
| Lumma Stealer | Lumma Stealer Group (MaaS) | Information stealer: targets browser data (credentials, cookies, history), crypto wallets, credit cards, passwords. | Spear-phishing emails, malvertising, brand impersonation (e.g., Microsoft, Booking.com), and fake AI video tools. | The MaaS model, difficult to detect by traditional defenses. | Major takedown by Microsoft & global law enforcement (May 21, 2025). Over 394,000 Windows PCs infected (Mar 16-May 16). >2,300 domains seized. | Hashes (MD5, SHA1, SHA256), DLL binaries (iphlpapi.dll, winhttp.dll), numerous domains. |
| ELPACO-team Ransomware | Unspecified (Mimic variant) | Ransomware: encrypts files (.ELPACO-team extension), attempts to halt VMs. | Exploitation of Atlassian Confluence (CVE-2023-22527), RDP, and SMB. | Metasploit, AnyDesk, new admin users, Zerologon attempts, Mimikatz, ProcessHacker, Impacket, and disabling Windows Defender. | Active exploitation, ransomware deployment. | IPs: 45.227.254.124, 91.191.209.46. Hashes (SHA256) for elpaco-team.exe, mimikatz.exe, processhacker-2.39-setup.exe, etc.. |
| LOSTKEYS | COLDRIVER (UNC4057, Star Blizzard, Callisto) | Information stealer: steals files (hard-coded extensions/dirs), system info, running processes, credentials, emails, contacts. | ClickFix social engineering (fake CAPTCHA, PowerShell commands). | Leverages PowerShell, VBS scripts, and targets government/NATO. | Active campaign, espionage-focused. | Not explicitly listed in snippets, but advisory indicates IOCs are available. |
| Winos 4.0 | Unspecified | Malware framework: delivered via multi-stage, memory-resident loader (Catena). | Fake software installers (Let’s VPN, QQ Browser). | Multi-stage infection chain. | Impacted by Operation Endgame (May 19-22, 2025). | Not explicitly listed in snippets. |
| Procolored Malware | Unspecified | Various malware strains, including new self-replicating variants. | Infected printer software drivers from the vendor’s file-sharing database. | Supply chain compromise, self-replication. | Widespread infection, vendor removed infected downloads. | Not explicitly listed in snippets. |
The week of May 19-26, 2025, brought critical updates regarding actively exploited vulnerabilities, underscoring the dynamic nature of the threat landscape and the imperative for rapid patching.
On May 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This designation signifies active exploitation in the wild and mandates urgent remediation for federal agencies, serving as a strong recommendation for all organizations.
The newly added vulnerabilities include:
Two critical vulnerabilities in SAP NetWeaver, CVE-2025-31324 (Missing Authorization Check) and CVE-2025-42999 (a flaw in the Visual Composer component), have been under active exploitation. These flaws allow unauthenticated file uploads and remote code execution, potentially granting backdoor access to the entire hosted environment. This unauthorized access can then enable lateral movement into additional connected applications, including Industrial Control Systems (ICS). Multiple China-based threat groups, including UNC5221, UNC5174, and CL-STA-0048, exploited these vulnerabilities, deploying web shells, reverse shells, and various malware such as PlugX and KrustyLoader. Reports indicated that thousands of servers were reportedly vulnerable before patches were released, underscoring the widespread risk.
Beyond the CISA KEV additions and SAP NetWeaver issues, other vulnerabilities warrant attention:
The accelerating exploitation lifecycle and the criticality of patch management are increasingly evident. Multiple critical vulnerabilities, including those in Ivanti EPMM, SAP NetWeaver, Srimax Output Messenger, and ZKTeco BioTime, are explicitly stated to be actively exploited in the wild. The exploitation of Ivanti EPMM was observed just days after the public PoC releases. Similarly, the SAP NetWeaver flaws were exploited by multiple groups, impacting thousands of servers, before patches were widely applied. CISA’s rapid addition of these to the KEV catalog signifies an immediate, real-world threat. This pattern demonstrates an accelerating exploitation lifecycle. The time window between vulnerability disclosure and active exploitation, often fueled by the rapid availability of public Proof-of-Concept exploits, is shrinking. Attackers prioritize widely adopted software and critical infrastructure components because a single exploit can yield a high number of vulnerable targets. Inadequate or delayed patching, even by a few days or weeks, creates a significant and easily exploitable window of opportunity for attackers. This makes timely and comprehensive patch management not just a best practice, but a critical, time-sensitive defense. Organizations must move beyond traditional, scheduled patching cycles. They need to implement a robust, risk-based vulnerability management program that prioritizes patching of actively exploited and critical vulnerabilities, especially those in internet-facing systems, widely used enterprise software, and critical infrastructure components. Automated patching, continuous vulnerability scanning, and integration with real-time threat intelligence feeds are essential to reduce the attack surface and minimize exposure.
The following table details the critical vulnerabilities added to CISA’s KEV Catalog on May 19, 2025:
Table: Critical Vulnerabilities Added to CISA KEV (May 19, 2025)
| CVE ID | Vulnerability Name | Affected Product(s) | Description | CVSS Score | CISA KEV Date Added | Recommended Mitigation Due Date |
| CVE-2025-4427 | Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability | Ivanti EPMM | Allows unauthenticated attackers to bypass authentication. | Not explicitly listed, but critical | May 19, 2025 | June 9, 2025 |
| CVE-2025-4428 | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | Ivanti EPMM | Allows unauthenticated attackers to execute arbitrary code when chained with CVE-2025-4427. | Not explicitly listed, but critical | May 19, 2025 | June 9, 2025 |
| CVE-2024-11182 | MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability | MDaemon Email Server | Allows a remote attacker to load arbitrary JavaScript code via HTML email. | Not explicitly listed | May 19, 2025 | Not explicitly listed |
| CVE-2025-27920 | Srimax Output Messenger Directory Traversal Vulnerability | Srimax Output Messenger | Allows authenticated users to drop malicious files to the server’s startup directory. | Not explicitly listed | May 19, 2025 | Not explicitly listed |
| CVE-2024-27443 | Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability | Synacor Zimbra Collaboration Suite (ZCS) | XSS vulnerability in CalendarInvite feature. | Not explicitly listed | May 19, 2025 | Not explicitly listed |
| CVE-2023-38950 | ZKTeco BioTime Path Traversal Vulnerability | ZKTeco BioTime | Allows unauthenticated attacker to read arbitrary files via crafted payload. | Not explicitly listed | May 19, 2025 | Not explicitly listed |
The week of May 19-26, 2025, provided further insights into the evolving tactics and targets of several prominent threat actors, highlighting the diverse motivations and sophisticated approaches employed in the cyber domain.
This prominent cybercriminal group has reportedly shifted its primary focus from the UK to US retailers. Scattered Spider is notorious for its sophisticated social engineering tactics, particularly impersonating employees during IT help desk calls to gain unauthorized system access and bypass traditional security controls. Their motivations appear to be a blend of financial gain and notoriety, often timing their attacks to generate maximum media exposure and impact. During this period, luxury brands like Dior, Harrods, and Marks & Spencer were compromised, with Dior’s breach specifically exposing sensitive customer data in China and South Korea.
Identified as a Russia-linked threat actor group, COLDRIVER continues to pose a significant espionage threat. This group employs ClickFix-like social engineering lures, presenting fake CAPTCHA prompts to trick users into manually copying and pasting malicious PowerShell commands into their terminals. They are distributing a new information stealer, LOSTKEYS, which is designed to steal sensitive files (based on hard-coded extensions and directories), collect system information, and list running processes. COLDRIVER is also known to steal account credentials, emails, and contacts. Their operations are strategically aligned, targeting NATO governments, Non-Governmental Organizations (NGOs), current and former Western government advisors, militaries, journalists, and think tanks, with the goal of collecting sensitive information that aligns with Russian strategic objectives.
This Chinese threat actor has been linked to recent cyberattacks targeting a U.S. trade group and a Mexican research institute. FamousSparrow deploys web shells on Internet Information Services (IIS) servers, often exploiting outdated Windows Server and Microsoft Exchange Server versions to gain initial access. They then proceed to deliver their flagship backdoor, SparrowDoor, and the ShadowPad malware.
Lemon Sandstorm is an Iran-based state-sponsored cyber actor, also operating under the moniker “xplfinder” since 2024. This group actively exploits U.S. organizations across various sectors, including education, finance, healthcare, defense, and local government, as well as entities in Israel, Azerbaijan, and the UAE. Their techniques include capturing login credentials using webshells on compromised Netscaler devices, deploying webshells to specific directories, placing additional webshells after system owners patch vulnerabilities, creating accounts on victim networks, requesting exemptions to zero-trust policies, and using DLL side-loading. They have demonstrated the ability to maintain long-term access (nearly two years) to Middle East critical national infrastructure (CNI) via VPN flaws and custom backdoors like HanifNet and HXLibrary. Notably, Lemon Sandstorm has been observed working with financially motivated ransomware groups such as NoEscape, ALPHV (BlackCat), and Ransomhouse. In some cases, they provide initial access to these ransomware affiliates or work in tandem with them to lock victim networks and implement extortion strategies.
NoName057(16) is a pro-Russian hacktivist group primarily known for Distributed Denial-of-Service (DDoS) attacks. They utilize a custom DDoS tool named DDoSia and frequently escalate attacks during periods of heightened geopolitical tension. On May 4, 2025, they launched DDoS attacks against multiple Romanian government websites on election day. They had also targeted Italian ministries and critical infrastructure in January 2025. Their targets are consistently Western and pro-NATO countries, including financial institutions, government websites, transportation services, and critical infrastructure in Ukraine, Poland, Denmark, Lithuania, Italy, the Czech Republic, Canada, and Romania.
The blurring lines and convergence of cybercrime and state-sponsored activities represent a significant and evolving threat. Lemon Sandstorm, an Iranian state-sponsored Advanced Persistent Threat (APT) group, is explicitly documented to collaborate with financially motivated ransomware groups like NoEscape and BlackCat. This collaboration can manifest as providing initial access to these ransomware affiliates or working jointly on extortion campaigns. This direct link between the nation-state and cybercriminal operations is a concerning development. Broader reports corroborate this trend, mentioning the “proliferation of cyber mercenaries” and the blurring of lines between criminal and nation-state activity. As another example, COLDRIVER, identified as a Russian government-backed threat group, is distributing new information-stealing malware (LOSTKEYS) via social engineering tactics, which are commonly employed in financially motivated cybercrime. This consistent pattern indicates a significant trend of convergence where nation-state actors increasingly leverage or directly employ existing cybercriminal infrastructure, tools, and expertise for their strategic objectives, such as espionage or disruption. This symbiotic relationship provides financial gain to the criminals while offering nation-states plausible deniability and access to a wider range of TTPs. This convergence fundamentally complicates threat attribution and defense, as the motivations behind an attack may be mixed—for instance, financial gain as a cover for espionage, or disruption as a means to an end. Therefore, organizations must recognize that a seemingly financially motivated attack, such as ransomware, could be a cover or an enabler for state-sponsored objectives. Defensive strategies need to be comprehensive enough to account for a wider range of TTPs, including those traditionally associated with cybercrime, even when the ultimate objective might be geopolitical influence or intelligence gathering. This requires a holistic threat intelligence approach that analyzes both criminal and state-sponsored playbooks to anticipate and defend against complex, multi-faceted threats.
Effective cybersecurity relies heavily on timely and actionable intelligence sharing. The past week saw critical advisories and updates from key government and industry bodies, emphasizing the growing importance of collaborative defense.
On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA). This advisory detailed the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with threat actors deploying LummaC2 malware. This malware poses a serious threat, capable of infiltrating networks and exfiltrating sensitive information from vulnerable individuals’ and organizations’ computer networks across U.S. critical infrastructure sectors. The advisory includes IOCs tied to infections observed from November 2023 through May 2025, underscoring the ongoing nature of this threat.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) continued to provide crucial updates and resources:
The growing importance of collaborative threat intelligence and sector-specific focus is a key observation. The CISA/FBI joint advisory on LummaC2 targeting critical infrastructure and the MS-ISAC’s provision of real-time indicator feeds highlight a concerted effort by government agencies to disseminate actionable threat intelligence. The MS-ISAC’s K-12 Cybersecurity Report specifically details the high rate of cyberattacks on schools, emphasizing their unique vulnerabilities and the need for tailored defenses. The success of the Lumma Stealer takedown operation, involving coordination among Microsoft, the U.S. Department of Justice, Europol, and Japan’s JC3, further underscores the necessity of global collaboration. Effective defense against the increasingly sophisticated and widespread cyber threats requires a collaborative approach to threat intelligence. This involves not only formal government advisories but also real-time sharing of Indicators of Compromise (IOCs) and detailed, sector-specific reports. Such collaboration enables organizations to leverage collective defense capabilities, receive targeted intelligence relevant to their unique risk profiles, and participate in broader efforts to disrupt cybercriminal operations. The emphasis on K-12 schools, for instance, shows a recognition that general advisories may not be sufficient for all sectors, necessitating specialized guidance. Therefore, organizations should actively engage with and contribute to threat intelligence platforms and Information Sharing and Analysis Centers (ISACs/ISAOs) relevant to their industry or sector. Integrating these real-time feeds and specialized reports into their security operations allows for more proactive and tailored defense strategies, moving beyond generic security measures to address specific, evolving threats.
The following table provides specific Indicators of Compromise (IOCs) for LummaC2 malware, as detailed in the CISA advisory:
Table: LummaC2 Indicators of Compromise (IOCs)
| Indicator Type | Hash/Domain | Description |
| MD5 Hashes | 4AFDC05708B8B39C82E60ABE3ACE55DB | LummaC2.exe (November 2023) |
E05DF8EE759E2C955ACC8D8A47A08F42 | LummaC2.exe (November 2023) | |
C7610AE28655D6C1BCE88B5D09624FEF | LummaC2.exe | |
| SHA1 Hashes | 1239288A5876C09D9F0A67BCFD645735168A7C80 | LummaC2.exe (November 2023) |
B66DA4280C6D72ADCC68330F6BD793DF56A853CB | LummaC2.exe (November 2023) | |
| TLSH Hash | 3B267FA5E1D1B18411C22E97B367258986E871E5 | LummaC2.exe |
| SHA256 Hashes | 19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB | LummaC2.exe (November 2023) |
2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F | LummaC2.exe (November 2023) | |
4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D | LummaC2.exe | |
325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a | LummaC2.exe | |
76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c | LummaC2.exe | |
7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70 | LummaC2.exe | |
a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab | LummaC2.exe | |
b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959 | LummaC2.exe | |
ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b | LummaC2.exe | |
| DLL Binaries | iphlpapi.dll | IP Helper API |
winhttp.dll | Windows HTTP Services | |
| Observed Domains | Pinkipinevazzey[.]pw, Fragnantbui[.]shop, Medicinebuckerrysa[.]pw, Musicallyageop[.]pw, stogeneratmns[.]shop, wallkedsleeoi[.]shop, Tirechinecarpet[.]pw, reinforcenh[.]shop, reliabledmwqj[.]shop, Musclefarelongea[.]pw, Forbidstow[.]site, gutterydhowi[.]shop, Fanlumpactiras[.]pw, Computeryrati[.]site, Contemteny[.]site, Ownerbuffersuperw[.]pw, Seallysl[.]site, Dilemmadu[.]site, Freckletropsao[.]pw, Opposezmny[.]site, Faulteyotk[.]site, Hemispheredodnkkl[.]pw, Goalyfeastz[.]site, Authorizev[.]site, ghostreedmnu[.]shop, Servicedny[.]site, blast-hubs[.]com, offensivedzvju[.]shop, friendseforever[.]help, blastikcn[.]com, vozmeatillu[.]shop, shiningrstars[.]help, penetratebatt[.]pw, drawzhotdog[.]shop, mercharena[.]biz, pasteflawwed[.]world, generalmills[.]pro, citywand[.]live, hoyoverse[.]blog, nestlecompany[.]pro, esccapewz[.]run, dsfljsdfjewf[.]info, naturewsounds[.]help, travewlio[.]shop, decreaserid[.]world, stormlegue[.]com, touvrlane[.]bet, governoagoal[.]pw, paleboreei[.]biz, calmingtefxtures[.]run, foresctwhispers[.]top, tracnquilforest[.]life, sighbtseeing[.]shop, advennture[.]top, collapimga[.]fun, holidamyup[.]today, pepperiop[.]digital, seizedsentec[.]online, triplooqp[.]world, easyfwdr[.]digital, strawpeasaen[.]fun, xayfarer[.]live, jrxsafer[.]top, quietswtreams[.]life, oreheatq[.]live, plantainklj[.]run, starrynsightsky[.]icu, castmaxw[.]run, puerrogfh[.]live, earthsymphzony[.]today, weldorae[.]digital, quavabvc[.]top, citydisco[.]bet, steelixr[.]live, furthert[.]run, featureccus[.]shop, smeltingt[.]run, targett[.]top, mrodularmall[.]top, ferromny[.]digital, ywmedici[.]top, jowinjoinery[.]icu, rodformi[.]run, legenassedk[.]top, htardwarehu[.]icu, metalsyo[.]digital, ironloxp[.]live, cjlaspcorne[.]icu, navstarx[.]shop, bugildbett[.]top, latchclan[.]shop, spacedbv[.]world, starcloc[.]bet, rambutanvcx[.]run, galxnetb[.]today, pomelohgj[.]top, scenarisacri[.]top, jawdedmirror[.]run, changeaie[.]top, lonfgshadow[.]live, liftally[.]top, nighetwhisper[.]top, salaccgfa[.]top, zestmodp[.]top, owlflright[.]digital, clarmodq[.]top, piratetwrath[.]run, hemispherexz[.]top, quilltayle[.]live, equatorf[.]run, latitudert[.]live, longitudde[.]digital, climatologfy[.]top, starofliught[.]top | Domains observed deploying LummaC2 malware (historical, may not be currently malicious) |
To effectively counter the evolving cyber threat landscape observed during May 19-26, 2025, organizations should implement a multi-layered and proactive defense strategy focusing on the following key areas:
The cyber threat landscape is expected to remain highly dynamic in the coming week. The resilience of the cybercriminal ecosystem suggests that despite recent law enforcement successes against major malware distribution networks, new variants and affiliate groups are likely to emerge rapidly, adapting their tactics and infrastructure.
Organizations should anticipate ongoing exploitation of recently disclosed critical vulnerabilities, especially those with publicly available Proof-of-Concept exploits. Maintaining extreme vigilance and prioritizing rapid patching will be crucial to closing these windows of opportunity before widespread compromise occurs.
Social engineering, particularly AI-enhanced phishing and fake update campaigns, will continue to be a primary initial access vector. This necessitates continuous employee education and robust email and web security controls to mitigate the human element of risk.
Nation-state actors are expected to persist in their espionage and disruptive activities, potentially leveraging cybercriminal tools and techniques. This continued convergence will further blur the lines between motivations and complicate attribution, requiring a comprehensive threat intelligence approach.
The focus on critical infrastructure, healthcare, and education sectors is likely to continue, given their high impact potential and perceived vulnerabilities. These sectors should remain on high alert and implement sector-specific defense strategies.
In summary, continuous vigilance, adaptive defense strategies, and proactive consumption of actionable threat intelligence will be paramount for maintaining a strong security posture in the face of these evolving and increasingly sophisticated threats.
CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
