The global cybersecurity environment exhibited increased threat activity, driven by the rising frequency of ransomware attacks, exploitation of critical vulnerabilities, third-party risks, and early signs of AI weaponization. Healthcare, finance, government, and critical infrastructure sectors were significantly affected. Threat actors showed evolving tactics including credential abuse, phishing innovations like “ClickFix,” Linux-targeted malware, and data exfiltration through compromised supply chains. Political and budgetary shifts impacting cybersecurity organizations (e.g., CISA) also introduced broader systemic risks. This report details the week’s key incidents, vulnerabilities, threat actor behaviors, malware trends, and provides clear recommendations for defense enhancement.
2. Top 5 Security Incidents
Date
Threat
Type
Sector
Impact
Apr 26
Loopscale Crypto Theft
Financial Theft
Finance
$5.8M in cryptocurrencies stolen
Apr 25
Stadt Nürnberg DDoS
Service Disruption
Government
Website intermittently inaccessible
Apr 24
TV Ciudad Website Defacement
Disinformation Attack
Media
False images and political threats posted
Apr 21
Onsite Mammography Breach
Data Breach
Healthcare
357,265 individuals affected via email systems
Apr 11
Yale New Haven Health System Breach
Massive Data Breach
Healthcare
5.5 million individuals’ data compromised via network server
Other notable incidents:
Prefeitura Marabá (Brazil): Website compromised.
BankID (Sweden): DDoS disrupted electronic ID services for 3 hours.
Santa Fe ISD (Texas, USA): Cyber event disrupted campus networks.
City of Abilene (Texas, USA): Reported a cyberattack on municipal systems.
Saint James Hospital Group (Malta): Reported ransomware attack.
Marks & Spencer (UK): Click-and-collect service disruption due to cyberattack.
3. New Critical Vulnerabilities (CVEs)
CVE ID
Severity
Product
Exploited?
Action Needed
CVE-2025-29824
Critical
Windows Common Log File System Driver
Yes
Patch Immediately
CVE-2025-26670
Critical
Windows LDAP
No
Patch Soon
CVE-2025-27480, 27482
Critical
Windows RDP
No
Patch Now
CVE-2025-27745, 27748, 27749, 27752, 29791
Critical
Microsoft Office
No
Update Suite
CVE-2025-26686
Critical
Windows TCP/IP
No
Apply Patches
CVE-2025-32433
Critical
Erlang/OTP SSH Server
Yes (PoC Public)
Immediate Action
CVE-2025-34028
Critical
Commvault Command Center
PoC Available
Patch ASAP
Vendor Updates:
Adobe: 54 CVEs addressed in After Effects, Media Encoder, Photoshop, etc.
Oracle: April 2025 CPU patch across Oracle DB and Middleware.
SonicWall: OS Command Injection vulnerability patched in SMA100 appliances.
SAP: Patched critical 10.0-rated zero-day in NetWeaver.
4. Malware Spotlight
DslogdRAT: Targeting Ivanti Connect Secure via zero-day vulnerability; uses web shell for C2 communication.
FOG Ransomware: Distributed through phishing emails impersonating government efficiency departments.
FormBook: Fileless stealer, phishing-disguised as sales orders; evades traditional antivirus detection.
SuperCard X (Android): NFC relay attacks enabling fraudulent POS transactions.
SectopRAT: .NET malware disguised as a Google Docs Chrome extension for data theft.
Gorilla Botnet C2, Xeno RAT, Spark RAT, CurlBack RAT, Aurotun Stealer, BRICKSTORM_Backdoor, PasivRobber: Active strains used in global malware campaigns.
5. Threat Actor Activity Highlights
North Korean Kimsuky, Iranian MuddyWater, Russian APT28: Using “ClickFix” to socially engineer users into pasting malicious commands into terminals.
Earth Kurma (Southeast Asia): OAuth phishing targeting Microsoft 365 accounts tied to Ukraine/human rights work.
UNC5174 (China): Linux-targeted SNOWLIGHT malware and new Remote Access Trojan campaigns.
APT42 (Iran): Using PINEFLOWER Android malware for spearphishing.
Slow Pisces (North Korea): Malware hidden inside coding challenges to exploit crypto developers.
RA Lord Ransomware, Rhysida, Akira: Active ransomware groups targeting global organizations.
Clop: Exploiting Managed File Transfer apps for mass data theft campaigns.
RansomHub: Leading active Ransomware-as-a-Service (RaaS) operations.
Evil Corp: Using Dridex and BitPaymer malware for financial attacks.
Sea Turtle (Turkey-linked G1041): Credential theft via login portal spoofing.
Sophisticated phishing: Exploiting DKIM and OAuth protocols for bypassing email security.
6. Actionable Recommendations
Technical Recommendations:
Patch Windows CLFS zero-day (CVE-2025-29824) and Erlang SSH (CVE-2025-32433) immediately.
Implement and enforce MFA across all endpoints and remote services.
Update EDR and Anti-virus platforms; deploy proactive threat hunting for ransomware IOCs.
Monitor access to GenAI platforms on corporate devices; enforce DLP controls.
Segment critical infrastructure networks and limit internet exposure where possible.
Monitor and apply CISA’s Known Exploited Vulnerabilities (KEV) catalog guidance weekly.
Non-Technical Recommendations:
Conduct regular phishing training focusing on new “ClickFix” and AI-themed lures.
Enforce policies around responsible AI platform usage in the workplace.
Promote strong password hygiene practices; mandate password managers where applicable.
Train employees to recognize fake browser extensions and suspicious software downloads.
Encourage immediate reporting of anomalous behavior, even if uncertain.
7. Appendix / Full Details
Additional incidents (not in Top 5):
Cyberattacks on logistics (JDC Logistik, Germany), healthcare (Saint James Hospital Group, Malta), education (Tokai University, Japan), and public services (Oregon DEQ, USA).
Multiple healthcare breaches reported to HHS OCR impacting millions.
Rising cases of ransomware affecting retail, consulting, telecommunications, and financial services worldwide.
Additional critical vulnerabilities (not in Top 5):
Linux Kernel, WordPress Plugins, macOS vulnerabilities disclosed in CISA bulletins.
Supply chain vulnerabilities observed in NPM and third-party packages.
CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
