Date: 2.13.25

---

🚨 Top Headlines

Summary: Tools typically employed by Chinese cyberespionage groups have been used in a recent ransomware attack, likely by an individual hacker, Symantec notes in a fresh report.

The toolset includes a legitimate Toshiba executable deployed on the victims’ systems to sideload a malicious DLL that deploys a heavily obfuscated payload containing the PlugX (aka Korplug) backdoor.

According to Symantec, the custom backdoor was previously linked to Mustang Panda(aka Earth Preta), a Chinese espionage group, and has never been used by threat actors in other countries.

Source: Security Week

Summary: User-friendly fraud kits that enable amateurs to execute complex attacks against thousands of accounts in minutes are widely available on the dark web according to the latest 2024 Report on Global Identity Fraud from AU10TIX. 

FaaS platforms provide all the tools, templates and automation that fraudsters need, including deepfake generators to create synthetic selfies and videos, botnets to automate mass-scale account creation and takeover, and phishing kits for email and web-based scams.

Source: BetaNews

Summary: A sophisticated ransomware gang, Codefinger, has a cunning new technique for encrypting data stored in AWS S3 buckets without traditional ransomware tools. Instead, they exploit the AWS server-side encryption with customer-provided keys (SSE-C), extorting payment in exchange for the encryption key.

Unlike conventional ransomware, the malicious actors don’t exfiltrate any data. Instead, they mark the encrypted files for deletion within seven days, putting organizations under pressure to pay the ransom or lose their data for good.

Source: Security Boulevard

---

🔍 Emerging Threats and Indicators

Malware Campaigns

Summary: Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts.

The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia.

Source: The Hacker News

Summary: Governments of the United States’ chief adversaries in cyberspace, especially Russia, have increasingly been relying on cybercriminals and their tools to advance their goals, according to a Google report published Tuesday.

There’s long been overlap between government and criminal cyber operators, but governments are now enjoying the benefits of collaboration and borrowing more — both for the general boons they can provide, but also in response to some specific conditions, the Google Threat Intelligence Group report concludes.

Source: Cyber Scoop

---

📈 Sector-Specific Intelligence

Healthcare:

Summary: Some say artificial intelligence (AI) has changed healthcare in ways we couldn’t have imagined just a few years ago. It’s now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

Source: Dark Reading

Infrastructure:

Summary: Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.

In its latest threat intelligence report, email security platform Mimecast said it flagged more than 5 billion threats in the second half of 2024.

Source: IT Pro

---

🌐 Global Threat Landscape

Notable APT Activities:

Summary: Salt Typhoon, a Chinese state-sponsored threat actor best known for recently breaching almost a dozen telecom providers in the US, has struck again, hitting not just American organizations, but also those from the UK, South Africa, and elsewhere around the world.

The latest intrusions were spotted by cybersecurity researchers from Recorded Future, which said the group is targeting internet-exposed web interfaces of Cisco’s IOS software that powers different routers and switches. These devices have known vulnerabilities that the threat actors are actively exploiting to gain initial access, root privileges, and more.

Source: Tech Radar

Summary: A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors.

The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima.

Source: The Hacker News

Summary: A subgroup of Russia’s Sandworm APT has been working to achieve initial and persistent access to the IT networks of organizations working in economic sectors Russia is interested in.

“In 2022, its primary focus was Ukraine, specifically targeting the energy, retail, education, consulting, and agriculture sectors. In 2023, it globalized the scope of its compromises, leading to persistent access within numerous sectors in the United States, Europe, Central Asia, and the Middle East,” Microsoft’s researchers have shared on Wednesday.

Source: HelpNet Security

Summary: A Russian state-backed hacking group is executing one of the most far-reaching cyber espionage campaigns ever seen, infiltrating critical infrastructure across multiple continents by exploiting vulnerabilities in IT management software.

The operation, attributed to the notorious Russian threat actor Seashell Blizzard, has compromised high-profile targets in energy, telecommunications, defense, and government sectors, including in the US, Canada, Australia, and the UK, Microsoft said in a report.

Source: CSO 

Summary: Russian-backed hackers, specifically the Sandworm APT group (also known as APT44 or UAC-0145), have been using weaponized Microsoft Key Management Service (KMS) activators to infiltrate Windows systems in Ukraine.

This campaign, which has been active since late 2023, exploits pirated KMS tools and fake Windows updates to distribute malware, further destabilizing Ukraine’s critical infrastructure.

Source: Cybersecurity News

Critical Vulnerabilities Released (CVE’s): 

Summary: Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass.

The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box.

Source: The Hacker News

Summary: This week’s list includes — CVE-2025-25064, CVE-2025-25065 (Zimbra Collaboration), CVE-2024-57968, CVE-2025-25181 (Advantive VeraCore), CVE-2025-20124, CVE-2025-20125 (Cisco Identity Services Engine), CVE-2025-23114 (Veeam Backup), CVE-2024-56161 (AMD), CVE-2025-21415 (Azure AI Face Service), CVE-2024-53104 (Linux Kernel/Android), CVE-2022-22706 (Arm), CVE-2025-23369(GitHub Enterprise Server), PSV-2023-0039, PSV-2024-0117 (NETGEAR), CVE-2025-24118 (Apple), CVE-2025-24648, CVE-2024-43333 (Admin and Site Enhancements plugin), and CVE-2025-24734 (Better Find and Replace plugin).

Source: The Hacker News

---

Prepared by: Krypt3ia
For inquiries, contact: [email protected]

---

Disclaimer: This digest is for informational purposes only. Use provided intelligence responsibly and validate all IOCs before implementing network or system changes.