Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
FormBook Malware Spread via Phishing Campaign - On 22 April 2025, Fortinet reported a phishing campaign actively exploiting CVE-2017-11882, a memory corruption vulnerability in Microsoft Office that allows remote code execution, targeting Windows users.
The campaign is initiated through phishing emails containing a fake sales order and a malicious Word document. Once the attachment is opened, an external RTF file is loaded, exploiting CVE-2017-11882 through the Microsoft Equation Editor to execute a disguised DLL ("AdobeID.pdf"). The DLL creates a registry run key for persistence and downloads an encrypted FormBook payload masquerading as a PNG file. The payload is decrypted and injected into memory via process hollowing, targeting ImagingDevices.exe. Once active, FormBook collects keystrokes, credentials, clipboard data, and screenshots while using native Windows APIs to evade detection.
Organisations are advised to block the identified indicators of compromise.
SAP Patches Zero-Day RCE Flaw in NetWeaver Visual Composer - On 25 April 2025, SAP released a patch for CVE-2025-31324, a zero-day remote code execution (RCE) vulnerability affecting SAP NetWeaver Visual Composer. This flaw allows remote attackers to upload and execute malicious files via an unrestricted file upload mechanism.
The attack begins by exploiting the /developmentserver/metadatauploader endpoint, enabling attackers to upload malicious JSP web shells to the server’s directory. Once uploaded, these web shells allow attackers to execute arbitrary commands, deploy malware, and manipulate system memory using the Heaven’s Gate technique to evade detection. Attackers also used Brute Ratel to maintain control over compromised systems, injecting payloads into legitimate processes such as dllhost.exe
Organisations are advised to apply the latest SAP security patch and monitor for any suspicious activity.
NVIDIA Patches Three High-Severity Vulnerabilities in NeMo Framework - On 22 April 2025, NVIDIA released a patch for three high-severity vulnerabilities affecting all versions of the NeMo Framework prior to 25.02 across Windows, Linux, and macOS platforms. The vulnerabilities include:
- CVE-2025-23249: A deserialisation of untrusted data vulnerability (CWE-502) that could allow remote code execution and data tampering.
- CVE-2025-23250: A path traversal vulnerability (CWE-22) enabling arbitrary file writes, potentially leading to code execution and data tampering.
- CVE-2025-23251: A code injection vulnerability (CWE-94) that could allow remote code execution and data tampering.
At the time of writing, there are no known instances of these vulnerabilities being exploited in the wild.
Organisations are advised to upgrade to NeMo Framework version 25.02 to mitigate potential security risks.
Potential Threats
ToyMaker Facilitates CACTUS Ransomware Attacks by Selling Access Acquired via LAGTOY Malware - On 26 April 2025, The Hacker News reported that ToyMaker, a financially motivated initial access broker (IAB), has been using a custom malware family named LAGTOY to compromise organisations and sell access to the CACTUS ransomware group. ToyMaker, active since 2023, typically exploits known vulnerabilities in internet-facing servers to gain initial access.
Once inside, ToyMaker deploys LAGTOY, harvests credentials using tools like Magnet RAM Capture, and conducts reconnaissance. The credentials are then sold to ransomware groups like CACTUS, who use them to establish persistence, exfiltrate data, and deploy ransomware. Persistence mechanisms include OpenSSH, AnyDesk, and RMS Remote Admin. LAGTOY allows reverse shells and remote command execution, communicating with a hard-coded C2 server over port 443. The malware includes a watchdog that monitors service continuity.
To mitigate risks, organisations are advised to enhance credential security, patch vulnerabilities, and implement strict access control measures.
North Korean Threat Actors Use Russian IP Addresses for Cybercrime Campaigns - On 23 April 2025, Trend Micro reported that North Korean threat actors, aligned with the Void Dokkaebi intrusion set (tracked as PurpleBravo), used Russian IP addresses to access virtual private servers (VPS) globally for cybercrime activities. These VPSs were used to launch social engineering campaigns and cryptocurrency-related operations.
The campaigns targeted IT professionals in the US, Ukraine, and Germany, luring them into fake job interviews via fake companies like BlockNovas. These interviews deployed malware such as Beavertail, disguised as coding tests or software updates. The FBI seized the BlockNovas[.]com domain on 23 April 2025, reinforcing attribution to North Korean threat actors.
Trend Micro also uncovered that the threat actors used these IP addresses to crack cryptocurrency wallet passwords and perform other malicious activities, including accessing job recruitment platforms. Additionally, instructional videos on setting up Beavertail infrastructure and cracking passwords were discovered.
Organisations are advised to block the identified indicators of compromise (IOCs) and raise awareness about the risks of fake job postings to defend against similar campaigns.
Fake WooCommerce Patch Campaign Installs Hidden Admin Accounts and Web Shells - On 26 April 2025, BleepingComputer reported a phishing campaign targeting WooCommerce administrators with fraudulent security patches. These patches compromise WordPress websites by creating hidden admin accounts, deploying web shells, and establishing persistent backdoor access.
The attack uses social engineering tactics, such as spoofed security alerts, IDN homograph attacks, and multi-stage infections. Phishing emails impersonate WooCommerce, prompting users to download a patch from a spoofed domain. The malicious plugin creates cronjobs that establish hidden admin accounts and retrieve second-stage payloads, including PHP-based web shells like “P.A.S.-Fork” and “p0wny.” The attackers likely intend to exploit compromised sites for ad injection, DDoS botnets, card skimming, and ransomware.
Organisations are advised to restrict plugin installations, monitor for unusual admin activity, and only permit updates from trusted sources.
General News
Marks & Spencer Cyber Incident Linked to Ransomware Group - On 22 April 2025, M&S disclosed a cyber incident that disrupted contactless payments, click-and-collect, and gift card usage across UK stores during the Easter weekend. On 25 April, the company suspended online orders, though physical stores stayed open and browsing remained available.
On 28 April, Sky News reported the attack was likely ransomware-related, with BleepingComputer attributing it to the Scattered Spider group, known for using social engineering tactics. The attackers reportedly deployed Dragon Force ransomware after stealing hashed credentials in February. M&S involved cybersecurity experts and notified the National Cyber Security Centre and the Information Commissioner’s Office. The investigation is ongoing.
Hitachi Vantara Discloses Ransomware Incident Linked to Akira Group – On 26 April 2025, Hitachi Vantara, a U.S.-based subsidiary of Hitachi, experienced a ransomware attack that disrupted internal systems, manufacturing operations, and remote support services. Cloud services and customer-managed environments remained unaffected.
On 28 April, BleepingComputer reported that informed sources linked the attack to the Akira ransomware group, which allegedly exfiltrated data and left ransom notes across compromised systems. Hitachi Vantara proactively took servers offline to contain the incident.
Akira, active since 2023, has breached over 250 organisations and extorted at least $42 million in ransom. The group’s extortion site did not list Hitachi Vantara at the time of reporting. The company has not officially confirmed the attackers’ identity, and the investigation continues.
EU Fines Apple and Meta for Violating Digital Markets Act – On 23 April 2025, the European Commission fined Apple €500 million and Meta €200 million for breaching the Digital Markets Act (DMA).
Apple was penalised for violating the anti-steering obligation by preventing app developers from directing users to alternative subscription options outside the App Store. Meta was fined for its "pay or consent" advertising model, which the Commission found undermines consumer choice by not offering an alternative service with less data usage. Both companies have announced plans to appeal, arguing that the fines are unfair and discriminatory.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueDelta | ● High | → | ● High | ● 86 | → | ● 86 | ● 35 | → | ● 25 |
| Kimsuky | ● High | → | ● High | ● 95 | → | ● 94 | ● 30 | → | ● 30 |
| RansomHouse Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 31 |
| Silent Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| Devman Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| RALord Ransomware Group | ▲ |
Unauthorised access |
▲ | CVE-2022-32666 | ▲ |
SK Telecom |
▲ |
|
Play Ransomware Group |
▲ |
Password Spraying |
▲ | CVE-2025-32432 | ▲ |
Coincheck |
▲ |
|
Storm-1977 |
▲ |
Play Ransomware |
▲ | CVE-2025-31324 | ▲ |
WooCommerce |
▲ |
|
BlueBravo |
▲ |
Targeted Attacks |
▲ | CVE-2025-23016 | ▲ |
Mark & Spencer |
▲ |
|
Hunters International |
▲ |
Moriya |
▲ |
CVE-2025-58136 |
▲ |
Grafana |
▲ |
Prominent Information Security Events
ToyMaker Facilitates CACTUS Ransomware Attacks by Selling Access Acquired via LAGTOY Malware
Source: Insikt Group, The Hacker News | Validated Intelligence Event
IOC: IP - 103.199.16[.]92
IOC: IP - 206.188.196[.]20
IOC: SHA256 - c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b
IOC: SHA256 - 5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d
On 26 April 2025, The Hacker News reported that ToyMaker, a financially motivated initial access broker (IAB), has been using a custom malware family called LAGTOY to compromise organisations and sell access to the CACTUS ransomware group. Active since 2023, ToyMaker exploits known vulnerabilities in internet-facing servers to gain access, often targeting exposed systems to initiate infections.
Once inside, ToyMaker deploys LAGTOY, a malware known as HOLERUN, to harvest credentials using tools like Magnet RAM Capture and conducts reconnaissance to gather information. These stolen credentials are then sold to threat groups like CACTUS, who use them to establish persistence, exfiltrate data, and deploy ransomware. Persistence mechanisms reported in these attacks include OpenSSH, AnyDesk, eHorus Agent, and Remote Utilities for Windows Admin (RMS Remote Admin).
LAGTOY enables reverse shells and remote command execution, communicating with a hard-coded command-and-control (C2) server over port 443. The malware also incorporates a watchdog mechanism that checks for service continuity, ensuring the C2 connection is maintained. ToyMaker’s primary goal appears to be selling access to other cybercriminals, as no victim-specific data exfiltration was observed during its access phase.
To mitigate risks, organisations are advised to enhance credential security, patch vulnerabilities, and implement strict access control measures.
North Korean Threat Actors Use Russian IP Addresses for Cybercrime Campaigns
Source: Insikt Group, Bleeping Computer | Validated Intelligence Event
IOC: IP - 45.61.151[.]174
IOC: IP- 74.119.194[.]244
IOC: Domian - lianxinxiao[.]com
IOC: Domain - easydriver[.]cloud
On April 23, 2025, Trend Micro reported that North Korean cyber actors, associated with the Void Dokkaebi intrusion set (PurpleBravo), have been using Russian IP addresses to access virtual private servers (VPS) globally. These VPSs were then used for social engineering campaigns and cryptocurrency-related operations.
The campaigns primarily targeted IT professionals in the US, Ukraine, and Germany, luring them into fake job interviews conducted by fake companies like BlockNovas. These interviews delivered malware, such as Beavertail, disguised as coding tests or software updates. The FBI seized the BlockNovas domain on April 23, 2025, confirming North Korean involvement.
Trend Micro found that North Korean IT workers, based in Russia, China, and Pakistan, used these IP addresses to interact with job platforms, access cryptocurrency services, and launch brute-force attacks on cryptocurrency wallets. Researchers also discovered instructional videos on setting up Beavertail infrastructure and cracking cryptocurrency passwords using tools like Hashtopolis and Hashcat.
The PurpleBravo group has been using fake remote job postings to infiltrate international organisations and generate revenue. It has targeted cryptocurrency firms, online casinos, and software companies. Insikt Group’s April 25 report identified 10 active Beavertail C2 servers and 462 potential victims across 70 countries.
To mitigate these attacks, organisations are advised to block the identified indicators of compromise (IOCs) and raise awareness about the risks of fake job postings to defend against similar campaigns.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2017-11882 - To mitigate the risk, organisations should block the IOCs asociated with this vulnerability.
-
CVE-2025-31324 - It is recommended to apply teh latest SAP security patch and monitor for any signs of suspicious activity within systems.
- CVE-2025-23249, CVE-23250 and CVE-23251 - Upgrading to NeMo Framework version 25.02 or later.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.