Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Cisco Discloses Network Analytics Privilege Escalation Flaw - On April 16, 2025, Cisco disclosed a privilege escalation vulnerability, CVE-2025-20178, in its Secure Network Analytics platform. CVE-2025-20178 exists in the web-based management interface of affected versions and allows authenticated remote attackers to execute arbitrary commands with elevated privileges.
The vulnerability stems from insufficient integrity checks on device backup files and affects Cisco Secure Network Analytics releases 7.5.0 through 7.5.2. Successful exploitation grants the attacker root-level shell access to the underlying operating system. At the time of writing, there are no reports of this vulnerability being exploited in the wild.
Google Chrome Fixes Critical and High-Severity Flaws (CVE-2025-3619, CVE-2025-3620) - On April 15, 2025, Google released a security update for the Chrome browser that fixes two vulnerabilities: a critical vulnerability tracked as CVE-2025-3619 and a high-severity vulnerability tracked as CVE-2025-3620. At the time of writing, there are no reports of these vulnerabilities being exploited in the wild.
- CVE-2025-3619 is a critical heap buffer overflow vulnerability in Chrome’s Codecs component. The flaw arises when Chrome processes specially crafted media files. Successful exploitation allows a threat actor to run arbitrary code on the target system, potentially leading to full device compromise or unauthorised access to sensitive user data.
- CVE-2025-3620 is a high-severity use-after-free vulnerability in Chrome’s USB component. The flaw arises when Chrome accesses memory after it has been released. Successful exploitation allows a threat actor to run arbitrary code or gain elevated privileges on the affected system.
ASUS Discloses Authentication Bypass Vulnerability CVE-2025-2492 - On April 18, 2025, ASUS patched an authentication bypass vulnerability, CVE-2025-2492, affecting multiple router models with the AiCloud feature enabled. AiCloud is a built-in cloud-based service on many ASUS routers that provides remote access to USB-connected storage and other network resources.
CVE-2025-2492 allows remote attackers to execute unauthorised functions without requiring authentication, posing a high risk of exploitation. The flaw is triggered through a specially crafted request and affects a wide range of firmware series, including 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. At the time of writing, there are no reports of these vulnerabilities being exploited in the wild.
Potential Threats
Ghost Ransomware Group (Cring) Targets Critical Sectors - On April 15, 2025, BlackFog published a report stating that Ghost Ransomware Group (also known as Cring) is targeting critical US, UK, and Canadian sectors for financial gain. Targeted industries include hospitals, factories, banks, and governments in over 70 countries. Although Ghost Ransomware Group first emerged in 2021, its activity has significantly increased in early 2025.
Ghost Ransomware Group gains initial access through unpatched systems, such as VPN or outdated applications. It spreads inside the network by installing backdoors, using tools like Cobalt Strike and web shells, and disabling security controls. Ghost escalates privileges, often creating new admin accounts and turning off defences.
It then steals data (for double-extortion), encrypts files, and wipes backups. A notable trait of this group is the ability to rapidly encrypt data on a system, often completing this process within the first 24 hours of an intrusion.
FOG Ransomware Delivered via LNK Files in ZIP Email Campaigns - On April 21, 2025, Trend Micro reported phishing campaigns distributing FOG ransomware. The threat actors spoofed the Department of Government Efficiency (DOGE) to increase credibility and broaden reach. The phishing emails contain a ZIP archive titled Pay Adjustment.zip, which includes a malicious shortcut (LNK) file masquerading as a PDF.
Executing the LNK file launches a PowerShell script, stage1.ps1, which retrieves additional components, including cwiper.exe and ktool.exe. These components contain embedded political commentary and trigger politically themed YouTube videos.
Key payload components include:
- Lootsubmit.ps1: Collects host details such as IP address, MAC address, CPU configuration, and geolocation via the Wigle API; it also exfiltrates data to hxxps://hilarious-trifle-d9182e.netlify[.]app.
- Trackerjacker.ps1: A script obfuscated using XOR, performing similar reconnaissance with refined MAC address resolution.
- Qrcode.png: Displays a QR code linking to a Monero wallet for ransom payment.
- Ktool.exe: Exploits the Intel driver iQVW64.sys to elevate privileges.
Additional components include .flocked ransomware binaries and a readme.txt ransom note referencing DOGE. The malware performs anti-sandbox checks (for example, RAM, CPU cores, and MAC address) and executes only if conditions are met. It also decrypts its payload using a hard-coded key and writes dbgLog.sys to log encryption actions.
Threat Actors Abuse SVG Files by Embedding Malicious HTML and JavaScript in Phishing Campaigns - On April 21, 2025, Kaspersky reported that threat actors conducted phishing campaigns using Scalable Vector Graphics (SVG) attachments to evade standard email security filters and steal credentials. These campaigns began in January 2025 and continued through at least mid-April.
Threat actors abuse SVG (a code-based image format used to display scalable graphics) by embedding malicious Hypertext Markup Language (HTML) and JavaScript that appear as legitimate files. When clicked, these files redirect users to phishing pages.
Threat actors deliver SVG attachments through phishing emails disguised as audio messages or document signature requests. When opened, the embedded code displays phishing pages that mimic legitimate platforms such as Google Voice or Microsoft login portals, prompting victims to enter their credentials. Email systems recognise SVG files under the Multipurpose Internet Mail Extensions (MIME) type image/svg+xml, which allows SVG attachments to bypass filters that block executables or HTML files.
General News
New payment-card scam involves a phone call, some malware and a personal tap - Financial institutions should be on alert for a scam that combines social engineering, previously undocumented malware and mobile phones’ near-field communication (NFC) capabilities to compromise payment cards, researchers said Friday. The fraudsters target Android devices with “a series of well-orchestrated steps” that allow them to steal money from individual victims, according to Cleafy, the cybersecurity firm that tracked the scheme in its home country of Italy.
The malware, which Cleafy is calling SuperCard X, overlaps with malicious code first reported by researchers at Slovakia-based ESET in 2024. Dubbed NGate, that malware was used to steal money from customers of three Czech banks. The abuse of NFC technology — when a device recognises a nearby item like a payment card — is new, Cleafy says.
The Italian job works like this: The hackers reel in a potential victim with a scary text message that impersonates a bank fraud alert. If the recipient calls the associated phone number, they’re directed to take more steps to “secure” their account. The hackers ask for PINs and try to get victims to remove any spending limits on the card.
23andMe bankruptcy draws investigation from House panel over data concerns - The House Oversight Committee has launched an investigation into the privacy and security risks associated with the bankruptcy of genetic testing company 23andMe.
The company’s bankruptcy filing “raises significant concerns regarding potential transfers of customers’ and family members’ sensitive personal data to various interested entities,” including China’s government, says committee Chairman James Comer (R-KY) in a letter to Anne Wojcicki, who initiated 23andMe’s bankruptcy proceedings in March and resigned as chief executive soon afterward.
British law firm fined after ransomware group publishes confidential client data - A British law firm has been fined £60,000 ($80,000) after cybercriminals accessed the company’s case management system and published sensitive information on the dark web, something the company only learned about after being contacted by the National Crime Agency.
DPP Law, based in Bootle, was found to have breached the United Kingdom’s data protection laws by failing to “put appropriate measures in place to ensure the security of personal information held electronically.”
The Information Commissioner’s Office (ICO) stated hackers were able to access the company’s IT network by brute-forcing an infrequently used administrator account that lacked multi-factor authentication, and then using the access to move laterally across DPP’s network, pilfering over 32GB of data.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| FIN7 | ● High | → | ● High | ● 82 | → | ● 81 | ● 45 | → | ● 45 |
| bio | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| DieNet | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
| RedNovember | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 5 | → | ● 26 |
| INC RANSOM | ● Basic | → | ● Basic | ● 30 | → | ● 40 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Lotus Panda | ▲ |
GrapeLoader |
▲ | CVE-2025-32434 | ▲ |
SK Telecom |
▲ |
|
BlueBravo |
▲ |
NightSpire Ransomware |
▲ | CVE-2025-24054 | ▲ |
White House |
▲ |
|
Cloud Atlas |
▲ |
Agenda Ransomware |
▲ | CVE-2025-21204 | ▲ |
Daihatsu |
▲ |
|
INC RANSOM |
▲ |
Identity Theft |
▲ | CVE-2025-1976 | ▲ |
World Wrestling Entertainment |
▲ |
|
ROOTK1T ISC |
▲ |
External Remote Services |
▲ |
CVE-2025-32433 |
▲ |
Google Drive |
▲ |
Prominent Information Security Events
Ghost Ransomware Group (Cring) Targets Critical Sectors in US, UK, and Canada for Financial Gain
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - E0821121726DBE78C6423AF0F46B2E938ACF8CE74D4674751AF4030D84BE972A
IOC: SHA256 - 4A324FC6AB18F552B8669404219BA4F16AD167C6E534B61F5BC7831534EB23A1
IOC: SHA256 - 4E9BB2DE5712E0FDB7270CCE45AF0AFB089C44D4424AA7CF8CA98219EC45A9C1
On April 15, 2025, BlackFog published a report stating that Ghost Ransomware Group (also known as Cring) is targeting critical US, UK, and Canadian sectors for financial gain. Targeted industries include hospitals, factories, banks, and governments in over 70 countries. Although Ghost Ransomware Group first emerged in 2021, its activity has significantly increased in early 2025.
Ghost Ransomware Group gains initial access through unpatched systems, such as VPN or outdated applications. It spreads inside the network by installing backdoors, using tools like Cobalt Strike and web shells, and disabling security controls. Ghost escalates privileges, often creating new admin accounts and turning off defences. It then steals data (for double-extortion), encrypts files, and wipes backups. A notable trait of this group is the ability to rapidly encrypt data on a system, often completing this process within the first 24 hours of an intrusion.
Ghost Ransomware Group is believed to be operated by a financially motivated group based in China; however, it does not appear to be affiliated with the Chinese government. This differs from typical Chinese-speaking threat actors, often linked to state-sponsored cyber-espionage rather than financially driven campaigns. The group has used various aliases such as Cring, Crypt3r, Hello, and Phantom to evade detection. Law enforcement agencies like the FBI and CISA have also issued joint advisories on Ghost.
FOG Ransomware Delivered via LNK Files in ZIP Email Campaigns
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 44b7eebf7a26d466f9c7ad4ddb058503f7066aded180ab6d5162197c47780293
IOC: Hash - 3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91
IOC: URL - hxxps://hilarious-trifle-d9182e.netlify.app/lootsubmit[.]ps1
IOC: URL - hxxps://hilarious-trifle-d9182e.netlify.app/qrcode[.]png
On April 21, 2025, Trend Micro reported phishing campaigns distributing FOG ransomware. The threat actors spoofed the Department of Government Efficiency (DOGE) to increase credibility and broaden reach.
The phishing emails contain a ZIP archive titled Pay Adjustment.zip, which includes a malicious shortcut (LNK) file masquerading as a PDF. Executing the LNK file launches a PowerShell script, stage1.ps1, which retrieves additional components, including cwiper.exe and ktool.exe. These components contain embedded political commentary and trigger politically themed YouTube videos.
Key payload components include:
- Lootsubmit.ps1: Collects host details such as IP address, MAC address, CPU configuration, and geolocation via the Wigle API; it also exfiltrates data to hxxps://hilarious-trifle-d9182e.netlify[.]app.
- Trackerjacker.ps1: A script obfuscated using XOR, performing similar reconnaissance with refined MAC address resolution.
- Qrcode.png: Displays a QR code linking to a Monero wallet for ransom payment.
- Ktool.exe: Exploits the Intel driver iQVW64.sys to elevate privileges.
Additional components include .flocked ransomware binaries and a readme.txt ransom note referencing DOGE. The malware performs anti-sandbox checks (for example, RAM, CPU cores, and MAC address) and executes only if conditions are met. It also decrypts its payload using a hard-coded key and writes dbgLog.sys to log encryption actions.
Since January 2025, FOG ransomware has affected approximately 100 victims. According to the group’s leak website, targeted sectors include technology, education, manufacturing, transportation, healthcare, retail, and consumer services.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-20178 we recommend that organizations update the Secure Network Analytics platform to version 7.5.0, 7.5.1, or 7.5.2 with the latest rollup updates.
-
CVE-2025-2492, we recommend that organizations update affected ASUS products to their fixed versions, which are listed in the vendor’s advisory.
- We recommend updating Chrome version 135.0.7049.95 for Linux and 135.0.7049.95/.96 for Windows and macOS to address these vulnerabilities and prevent system compromise.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.