Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Exploitation of CVE-2024-7399 in Samsung MagicINFO for RCE - On May 5, 2025, Arctic Wolf reported active exploitation of CVE-2024-7399 in Samsung MagicINFO 9 Server, a vulnerability disclosed in August 2024. Affecting versions prior to 21.1050, the flaw allows unauthenticated attackers to upload .jsp web shells via the SWUpdateFileUploadServlet class, enabling system-level command execution.
Exploitation began shortly after SSD-Disclosure released a proof-of-concept on April 30, 2025. Threat actors are using the vulnerability to deploy Mirai botnet variants.
Organisations are advised to upgrade to version 21.1050, monitor for suspicious POST requests, and isolate vulnerable servers.
Microsoft Warns Flaws in Kubernetes Deployments May Expose Sensitive Data - On May 5, 2025, Microsoft warned that insecure default Helm chart configurations in Kubernetes deployments expose workloads to serious risks, including unauthorised access, data leaks, and service abuse. These defaults often make services internet-accessible without proper network isolation or authentication.
Apache Pinot is notably affected, with components like pinor-broker and pinor-controller exposed via unauthenticated LoadBalancer services, leading to confirmed exploitation.
While no CVEs have been assigned, Microsoft urges organisations to avoid default settings, secure Helm charts, enforce MFA, and monitor for misconfigurations.
BalloonFly Exploits Windows CLFS Zero-Day CVE-2025 - On May 7, 2025, the ransomware-linked group BalloonFly exploited CVE-2025-29824, a zero-day vulnerability in the Windows CLFS driver, during an attack on a U.S. organisation. Although ransomware wasn’t deployed, the Grixba infostealer was used to extract sensitive data.
The attack likely began with the compromise of a vulnerable Cisco ASA firewall, followed by privilege escalation via the CLFS exploit. Microsoft patched the flaw in April 2025.
To mitigate risk, organisations should apply the patch, monitor for related artefacts, and check for suspicious scheduled tasks or unauthorised admin accounts.
Potential Threats
ClickFix Phishing Campaign Targets Portuguese Government, Finance, and Transport Using Lampion - On May 6, 2025, Unit 42 reported that threat actors used the Lampion infostealer in a phishing campaign targeting government, finance, and transport sectors in Portugal. Using a technique called ClickFix, attackers tricked users into pasting malicious PowerShell commands disguised as system fixes.
Phishing emails delivered ZIP files with HTML pages mimicking the Portuguese tax authority, initiating a multi-stage infection chain designed to evade detection. Although the final Lampion payload was not deployed, the campaign appears to be in testing
We recommend that defenders monitor for clipboard-based PowerShell activity, obfuscated scripts, and suspicious use of rundll32.exe, as well as train users to avoid unsolicited system commands.
China-Linked Chaya_004 Exploiting CVE-2025-31324 in SAP Visual Composer - On May 8, 2025, Forescout reported that the Chinese threat actor Chaya_004 is exploiting the critical CVE-2025-31324 vulnerability in SAP NetWeaver Visual Composer 7.x, which allows remote code execution via malicious file uploads.
Exploitation attempts, targeting manufacturing environments, have been observed since April 29, 2025.Chaya_004 uses the flaw to deploy web shells and SuperShell backdoors, leveraging infrastructure hosted on Chinese cloud providers. Forescout identified over 500 IPs linked to the attack.
To mitigate risks, organisations should update SAP Visual Composer or apply the vendor’s workaround.
APT COLDRIVER Deploys LOSTKEYS Malware via Fake CAPTCHA Page - Between January and April 2025, the Russian threat group COLDRIVER (BlueCharlie) targeted Western government, military, and NGO entities using a new malware called LOSTKEYS.
Attacks began with a fake CAPTCHA page that tricked users into running a PowerShell command, leading to a multi-stage infection and deployment of LOSTKEYS. The malware exfiltrates files and system details to a C2 server. Google traced related activity back to December 2023, when LOSTKEYS was disguised as legitimate Maltego tools.
Organisations are advised to block indicators of compromise linked to COLDRIVER’s campaign.
General News
Threat Actors Abuse HMRC Agent Access in Tax Refund Fraud Targeting UK Accounting Firms - On May 7, 2025, accountingWEB reported that threat actors are targeting UK-based accountancy firms in a tax refund fraud campaign. Using vishing (voice phishing), attackers pose as legitimate business clients and follow up with emails containing malicious PDF attachments impersonating HMRC.
When opened, these deploy remote access tools (RATs) that allow attackers to disable antivirus software and access the HMRC Agent Gateway, where they file fraudulent VAT and CIS refund claims to divert funds to their accounts. The campaign mirrors similar HMRC-themed phishing activity reported earlier in 2025, indicating an ongoing focus on exploiting tax systems.
Organisations are advised to block unauthorised RATs through application controls and provide regular staff training to identify phishing threats.
Pearson Reports Data Breach Involving Corporate and Customer Info - On May 8, 2025, Pearson, a UK-based digital education company, confirmed a data breach in which unknown threat actors accessed outdated business records and client-related data. The breach, possibly linked to a January 2025 incident at its PDRI subsidiary, began after attackers found a GitLab access token exposed in a public .git/config file.
This token led to access across AWS, Google Cloud, Snowflake, and Salesforce, enabling the theft of sensitive data. Pearson said no employee data was involved and has since improved access controls and monitoring.
We recommend that defenders inspect public and internal repositories for Git configuration files containing embedded credentials, such as .git/config, and ensure that those credentials are removed and authentication tokens are rotated.
UK Legal Aid Agency Confirms Cyberattack Exposing Provider Payment Data - On May 6, 2025, Sky News reported that the UK’s Legal Aid Agency (LAA) suffered a cyberattack potentially compromising financial data of around 2,000 legal aid providers, including law firms, barristers, nonprofits, and service vendors.
In a letter to affected parties, the LAA indicated that payment-related data may have been accessed, but did not specify the exact type of information involved.
The method of intrusion and identity of the threat actors remain unknown. As of now, there are no dark web mentions of the incident.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| FIN7 | ● High | → | ● High | ● 80 | → | ● 80 | ● 30 | → | ● 25 |
| Kimsuky | ● High | → | ● High | ● 94 | → | ● 93 | ● 30 | → | ● 30 |
| Pioneer Kitten | ● Moderate | → | ● Moderate | ● 57 | → | ● 60 | ● 25 | → | ● 25 |
| Devman | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| Anonymous | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Killnet | ▲ |
ClickFix |
▲ | CVE-2024-26809 | ▲ |
Ledger |
▲ |
|
Ministry Of Defence of the Russian Federation |
▲ |
Zero Day Exploit |
▲ | CVE-2025-31324 | ▲ |
Drone |
▲ |
|
Pakistani Hackers |
▲ |
Akira Ransomware |
▲ | CVE-2025-27920 | ▲ |
Government - UK |
▲ |
|
DieNet |
▲ |
Pegasus |
▲ | CVE-2025-47203 | ▲ |
Linux |
▲ |
|
Anonymous |
▲ |
Data Encrypted for Impact |
▲ |
CVE-2025-29824 |
▲ |
Legal Aid Agency |
▲ |
Prominent Information Security Events
ClickFix Phishing Campaign Targets Portuguese Government, Finance, and Transport Using Lampion
Source: Insikt Group, Unit 42 | Validated Intelligence Event
IOC: SHA256 - 334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d
IOC: IP - 5.8.9[.]77
IOC: URL - hxxp://18.116.63.61/ifeellike[.]php
On May 6, 2025, Unit 42 reported that threat actors behind the Lampion infostealer launched a targeted phishing campaign against Portugal’s government, financial, and transportation sectors between late 2024 and early 2025. The campaign featured a shift in initial access tactics, using the ClickFix technique - a method where users are tricked into manually executing a malicious PowerShell command disguised as a system fix.
The attack began with phishing emails containing ZIP files that included an HTML lure. This redirected users to a spoofed Portuguese tax authority site (autoridade-tributaria[.]com), instructing them to run the PowerShell command via the Windows Run dialog. This launched a multi-stage infection process involving obfuscated Visual Basic Scripts (VBS), system reconnaissance, anti-sandboxing checks, and scheduled tasks. Later stages dropped a 700 MB DLL loader with Portuguese-language export functions, designed to evade detection by fragmenting execution across unrelated processes.
Unit 42 did not observe deployment of the final Lampion payload, suggesting the campaign was in a testing phase or incomplete.
We recommend that defenders monitor for clipboard-based PowerShell activity, obfuscated scripts, and suspicious use of rundll32.exe, as well as train users to avoid unsolicited system commands. Defenders should also inspect scheduled tasks, block known C2 domains, and log VBS execution from startup directories.
China-Linked Chaya_004 Exploiting CVE-2025-31324 in SAP Visual Composer
Source: Insikt Group, FORESCOUT | Validated Intelligence Event
IOC: Hash - f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779
IOC: IP - 47.97.42[.]177
IOC: Domain: search-email[.]com
IOC: CVE-2025-31324 | CVVS Score 9.3 | Recorded Future Score: Very High - 99
On May 8, 2025, Forescout revealed that the Chinese threat actor Chaya_004 is actively exploiting the critical vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer 7.x. This remote code execution (RCE) flaw enables attackers to execute malicious code through file uploads. Since April 29, 2025, exploitation attempts have primarily targeted manufacturing environments.
Chaya_004 leverages CVE-2025-31324 to deploy web shells and additional payloads, including SuperShell backdoors, using infrastructure hosted on Chinese cloud providers. Forescout's analysis identified over 500 IP addresses across various autonomous system numbers (ASNs) and countries, all sharing indicators of compromise, such as uncommon certificates and open ports.
To mitigate the risk of exploitation, organisations are advised to update SAP NetWeaver Visual Composer to the latest patched version or implement the workaround outlined in the vendor’s advisory.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2024-7399 - To mitigate, organisations should upgrade to version 21.1050, monitor for suspicious POST requests, and isolate vulnerable servers.
-
Flaws in Kubernetes Deployments - Microsoft strongly advises organisations to avoid default configurations, harden Helm charts, enforce multi-factor authentication (MFA), implement strict network isolation, regularly scan for misconfigurations that expose workload interfaces, and monitor containers for suspicious activity.
- CVE-2025-29824 - We recommend installing the patch provided by Windows to reduce the risk of exploitation, monitor for exploitation artefacts, and check for abuse of scheduled tasks or unauthorised admin accounts.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.