Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Apple Vulnerabilities Actively Exploited – On 1 April 2025, Apple released security updates to address three vulnerabilities that have been actively exploited in the wild, affecting older versions (prior to 17.2) of iOS, iPadOS, and macOS.
The first, CVE-2025-24085, is a use-after-free vulnerability in the CoreMedia component which could allow privilege escalation when exploited via a malicious application. The second, CVE-2025-24200, involves an incorrect authorisation flaw within the Accessibility component that enables attackers to disable USB Restricted Mode while the device remains locked. The third, CVE-2025-24201, is an out-of-bounds write vulnerability in WebKit, potentially allowing attackers to escape the application sandbox through specially crafted web content.
Users are strongly advised to update to the latest firmware, including any legacy updates available for older Apple devices.
CrushFTP Authentication Bypass Vulnerability Exploited - On 31 March 2025, the Shadowserver Foundation reported active exploitation of CVE-2025-2825, an authentication bypass vulnerability affecting CrushFTP. This issue impacts versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0. The vulnerability allows unauthenticated attackers to gain unauthorised access via specially crafted HTTP(S) requests. Shadowserver observed over 1,500 vulnerable CrushFTP instances exposed online at the time of reporting.
CrushFTP released patches addressing the issue in versions 10.8.4 and 11.3.1 on 21 March 2025. Organisations are strongly encouraged to apply these updates without delay.
Critical RCE Vulnerability in Apache Parquet – On 1 April 2025, security researcher Keyi Li disclosed CVE-2025-30065, a critical remote code execution vulnerability in the Java library of Apache Parquet. The flaw stems from unsafe deserialisation in the parquet-avro module and affects versions 1.8.0 through 1.15.0. Exploitation enables attackers to execute arbitrary code by processing malicious Parquet files, without requiring user interaction or elevated privileges. Although no active exploitation has yet been observed, the vulnerability poses a significant threat to environments using big data platforms such as Hadoop, Spark and Flink.
It is recommended that affected systems be upgraded to version 1.15.1. Where an upgrade is not immediately possible, strict file validation and enhanced monitoring should be implemented.
Potential Threats
Russian State-Sponsored Actor Exploiting MSC EvilTwin Zero-Day – On 28 March 2025, Trend Micro reported that the Russian state-sponsored actor known as Water Gamayun, also referred to as EncryptHub, is exploiting a zero-day vulnerability in Microsoft Management Console (MMC), identified as CVE-2025-26633 and dubbed “MSC EvilTwin”.
This vulnerability permits code execution through malicious .msc files that sideload a rogue DLL. The attack begins with specially crafted .ppkg, .msi or .msc files, leveraging living-off-the-land binaries such as runnerw.exe to evade detection. The threat actor deploys malware including EncryptHub Stealer, DarkWisp and LummaC2 to achieve persistence and steal data.
Microsoft released a patch for this vulnerability on 11 March 2025. All systems should be updated as a priority to mitigate ongoing threats.
PoisonSeed Phishing Campaign Steals Cryptocurrency via Preconfigured Seed Phrases - On 3 April 2025, Silent Push revealed details of the ongoing "PoisonSeed" phishing campaign, which targets cryptocurrency users by distributing preconfigured seed phrases.
The threat actors are exploiting compromised enterprise email and CRM accounts, such as those from HubSpot and Mailchimp, to impersonate legitimate platforms like Coinbase and Ledger. Phishing emails contain wallet seed phrases that, when imported by a user, grant the attackers immediate access to the wallet and its contents.
Cryptocurrency users are strongly advised to avoid using seed phrases received via email, as reputable platforms never send pre-generated phrases to users under any circumstances.
Salvador Stealer Android Malware Steals Personal and Financial Data – On 2 April 2025, ANY.RUN identified a new Android malware variant named Salvador Stealer. This malware is distributed via trojanised APKs that disguise themselves as legitimate banking applications.
Once installed, the malware presents a fake banking interface and silently harvests sensitive data, including one-time passwords and login credentials. The stolen data is transmitted to attackers via Telegram and dedicated servers.
Users are urged to install applications only from verified app stores, enable two-factor authentication where possible, and keep their mobile security software up to date to minimise exposure.
General News
Customer info allegedly stolen from compromised supplier of Royal Mail - Royal Mail is investigating a data breach involving its third-party supplier, Spectos GmbH, which reportedly led to the exposure of 144GB of customer data. The leaked information includes names, delivery addresses, and internal documentation, along with mailing lists and Zoom recordings.
The threat actor, operating under the alias GHNA, has claimed responsibility for the breach. Initial investigations suggest the data was exfiltrated through compromised credentials, possibly stemming from a 2021 malware infection.
Royal Mail has confirmed that operational services have not been impacted.
Apple Sues UK Government Over Encryption Access – Apple has launched legal proceedings against the UK Government in response to an order compelling it to provide access to encrypted iCloud data.
The Investigatory Powers Tribunal recently lifted the confidentiality of the case, revealing Apple’s challenge to the government’s demand for a so-called ‘backdoor’ into its cloud services. Earlier this year, Apple pre-emptively disabled the ability for UK users to enable end-to-end encryption for iCloud, in what is now believed to be a move driven by the legal dispute.
Apple contends that the order undermines the privacy and security of its customers globally.
Europcar GitLab Breach Exposes Data of Up to 200,000 Customers –Europcar Mobility Group has confirmed that a hacker gained unauthorised access to its GitLab repositories, compromising source code for both its Android and iOS applications.
In addition to the codebase, the attacker accessed over 9,000 SQL files containing database backups with customer information, and more than 250 configuration files disclosing details of the company’s internal infrastructure and cloud environments. Up to 200,000 customers may have been affected.
The company has launched a full investigation and is currently working to determine the scope of the incident.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueBravo | ● High | → | ● High | ● 89 | → | ● 88 | ● 25 | → | ● 25 |
| CoreLab | New | → | ● Basic | New | → | ● 30 | New | → | ● 25 |
| Chaos Leak Group | New | → | ● Basic | New | → | ● 30 | New | → | ● 25 |
| K3MP3R | New | → | ● Basic | New | → | ● 30 | New | → | ● 25 |
|
Chaos Ransowmare Group |
New | → | ● Basic | New | → | ● 25 | New | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| InterLock Ransomware Group | ▲ |
Credential Stuffing |
▲ | CVE-2025-3155 | ▲ |
Hotels and entertainment services |
▲ |
|
Palestinian Hackers |
▲ |
T1021 (Remote Services) |
▲ | CVE-2025-30401 | ▲ |
Amazon Web Services |
▲ |
|
LockBit Gang |
▲ |
T1133 (External Remote Services) |
▲ | CVE-2023-6931 | ▲ |
Europcar |
▲ |
|
Anonymous |
▲ |
T1041 (Exfiltration Over C2 Channel) |
▲ | CVE-2025-22457 | ▲ |
Royal Mail |
▲ |
|
Hellcat Ransomware Group |
▲ |
TA0010 (Exfiltration) |
▲ |
CVE-2024-11859 |
▲ |
Human Capital Management |
▲ |
Prominent Information Security Events
State-Sponsored Actor Exploiting MSC EvilTwin Zero-Day
Source: Insikt Group, Trend Micro | Validated Intelligence Event
IOC: IP – 82.115.223[.]182
IOC: CVE-2025-26633 | CVVS Score: 7.3 | Recorded Future Risk Score: Very Critical - 99
IOC: Domain – global-protect[.]us
IOC: SHA256 - f3988f4c889e6ae79b7ebde97a677e2abfc89c53ffc800a8954b713d317232d3
On 28 March 2025, Trend Micro reported that Russian state-sponsored threat actor Water Gamayun (also tracked as EncryptHub) has been exploiting a zero-day vulnerability in Microsoft Management Console (MMC), tracked as CVE-2025-26633 and dubbed “MSC EvilTwin.” The flaw enables remote code execution through specially crafted .msc console files that sideload a malicious DLL via abuse of the MUIPath attribute.
Initial access is achieved through malicious provisioning packages (.ppkg), .msi installer files, and .msc console files, which ultimately trigger MSC EvilTwin. When opened via MMC, the crafted .msc files cause the malicious DLL—designed to mimic Microsoft's mmcndmgr.dll—to be sideloaded and executed in memory. This allows Water Gamayun to deploy payloads without writing files to disk, thereby evading traditional detection mechanisms.
Water Gamayun leverages living-off-the-land binaries (LOLBins), notably abusing runnerw.exe from IntelliJ IDEA to proxy PowerShell commands and execute payloads. Once inside the environment, the group deploys a range of malware including EncryptHub Stealer, DarkWisp, and SilentPrism for persistence, along with Stealc, Rhadamanthys, and LummaC2 to exfiltrate credentials, browser data, and other sensitive information. These payloads communicate with command-and-control (C2) servers over encrypted channels and employ anti-analysis techniques to resist detection.
Microsoft released a patch for CVE-2025-26633 as part of its 11 March 2025 security update. Organisations are urged to apply this update immediately and to monitor for suspicious .msc activity, LOLBin abuse, and anomalous outbound network traffic to known C2 infrastructure.
PoisonSeed Phishing Campaign Steals Cryptocurrency via Preconfigured Seed Phrases
Source: Insikt Group, Bleeping Computer | Validated Intelligence Event
IOC: IP - 212.224.88[.]188
IOC: IP- 86.54.42[.]92
IOC: Domain - myaccount-hbspot[.]com
IOC: Domain - review-termsconditions[.]com
On April 3, 2025, cybersecurity firm Silent Push reported the ongoing “PoisonSeed” phishing campaign, which targets cryptocurrency users by exploiting compromised enterprise email and CRM accounts. The attackers impersonate legitimate platforms like Coinbase and Ledger, sending phishing emails that contain preconfigured wallet seed phrases.
These seed phrases, when imported by a user, allow the attackers immediate access to the victim's cryptocurrency wallet, enabling them to drain the funds. The campaign is launched by compromising business accounts on popular CRM and email platforms such as HubSpot and Mailchimp. After gaining access, attackers use these platforms to distribute phishing emails at scale, targeting a wider audience.
Silent Push identified several domains used by the attackers for command-and-control (C2) communication, including mysrver-chbackend[.]com and barefoots-api[.]com. Further analysis of WHOIS records revealed unusual details linked to the infrastructure, helping to confirm the PoisonSeed campaign's association with this set of domains.
To mitigate this threat, organisations should enforce multi-factor authentication (MFA) for CRM and email platforms, audit API activity to detect unauthorised API key generation, and review outbound emails for signs of phishing attempts. Cryptocurrency users are strongly advised to avoid importing seed phrases received through email, as legitimate platforms never send preconfigured phrases under any circumstances.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-24085, CVE-2025-24200 and CVE-205-24201 – Update affected devices to the latest available firmware, including any legacy updates for older Apple devices.
- CVE-2025-2825 - Update the affected products to versions 10.8.4 or 11.3.1, released by CrushFTP on 21 March 2025.
- CVE-2025-30065 - Update the affected systems to version 1.15.1. If updating is not immediately possible, avoid processing untrusted Parquet files, apply strict file validation and implement enhanced monitoring as a workaround.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.