CyberSecurity Newsletter 26th May, 2025
In this week’s news: Hudson Rock releases GPT based on leaked BlackBasta group messages, DragonForce Ransomware gang, Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M in crypto, Chinese-speaking threat actors have exploited a critical zero-day vulnerability in Trimble’s Cityworks software, FBI warns that the Silent Ransom Group, has targeted U.S. law firms, IOS application Sleep Journey: Insomnia Helper, has inadvertently exposed the personal and health data of more than 25,000 individuals, Cetus Protocol announced that hackers have stolen $223 million in cryptocurrency and is offering a deal to stop all legal action if the funds are returned, and an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code.
Hudson Rock Drops BlackBastaGPT: Built from 1M Internal Messages Leaked from Black Basta Ransomware Group. This AI chatbot is for threat intelligence researchers, letting you dive into Black Basta’s internal chats to unpack their ops, tactics, cash flow, and humor. It’s raw, real, and pulls straight from the data.
https://www.infostealers.com/article/hudson-rock-drops-blackbastagpt-built-from-1m-internal-messages-leaked-from-black-basta-ransomware-group/
Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M in crypto.“A Command Post was set up at Europol headquarters in The Hague during the action week, with investigators from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom and the United States working with Europol’s European Cybercrime Centre and its Joint Cybercrime Action Taskforce.”

Operation ENDGAME disrupted global ransomware infrastructure
Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M in crypto.
Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.
https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/
Chinese-speaking threat actors have exploited a critical zero-day vulnerability in Trimble’s Cityworks software, compromising multiple local government networks across the United States. The cyberattacks, active since January 2025, have been attributed to a threat group tracked as UAT-6382. The attackers used a deserialization flaw, now tracked as CVE-2025-0994, to perform remote code execution on Microsoft Internet Information Services (IIS) servers. Once inside, they deployed multiple tools to maintain persistent access and lateral movement.
https://dailysecurityreview.com/security-spotlight/chinese-hackers-exploit-cityworks-zero-day-to-breach-u-s-local-government-systems/
Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena.

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware
Winos 4.0 malware campaign active since Feb 2025 uses fake installers, Catena loader, and AV evasion tactics.
The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously enabled Ryuk and Conti ransomware attacks. “The cyber threat actor Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims.”

Silent Ransom Group targeting law firms, the FBI warns
FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback phishing and social engineering extortion tactics.
The Bumblebee malware SEO poisoning campaign uncovered earlier this week aimpersonating RVTools is using more typosquatting domainsi mimicking other popular open-source projects to infect devices used by IT staff. BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility.
https://www.bleepingcomputer.com/news/security/bumblebee-malware-distributed-via-zenmap-winmrt-seo-poisoning/
Coca-Cola is reportedly investigating a possible data breach after its name appeared on a dark web leak site operated by the Everest ransomware group. According to the attackers, the breach involved the exposure of personal details belonging to nearly 1,000 Coca-Cola employees, alongside internal corporate documents. The leak allegedly includes personally identifiable information (PII) such as employee ID data and HR-related files, including salary information. Several screenshots of the supposed stolen material were posted to the dark web as evidence by the threat actors.
https://dailysecurityreview.com/security-spotlight/coca-cola-investigates-alleged-data-breach-tied-to-everest-ransomware-group/
The iOS application Sleep Journey: Insomnia Helper, designed to assist users with sleep issues, has inadvertently exposed the personal and health data of more than 25,000 individuals due to a misconfigured Firebase database. The exposed data includes names, email addresses, dates of birth, gender, sleep patterns, habits such as alcohol and nicotine consumption, pre-sleep activities, and medication usage.
https://dailysecurityreview.com/security-spotlight/ios-sleep-app-exposes-personal-and-health-data-of-over-25000-users/
The Cybersecurity and Infrastructure Security Agency (CISA) on May 22 issued an advisory that Commvault has been monitoring cyber threat activity that was targeting applications hosted in its Microsoft Azure cloud environment. CISA said it believes the threat activity may be part of a larger campaign targeting various software-as-a-service (SaaS) companies’ cloud apps with default configurations and elevated permissions that lead to attackers stealing secrets.
https://www.scworld.com/news/cisa-warns-of-attacks-on-commvaults-microsoft-azure-environment
A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.
https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/
Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique. The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware."
https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html
The decentralized exchange Cetus Protocol announced that hackers have stolen $223 million in cryptocurrency and is offering a deal to stop all legal action if the funds are returned. The project also announced a $5 million bounty to anyone providing relevant information leading to the identification and arrest of the attacker. Cetus Protocol is a decentralized exchange (DEX) and liquidity protocol operating on the Sui and Aptos blockchains.
https://www.bleepingcomputer.com/news/security/hacker-steals-223-million-in-cetus-protocol-cryptocurrency-heist/
DragonForce is fighting a “turf war” with rival ransomware operators as it seeks to assert its dominance in the cybercrime marketplace, according to new Sophos research. The group appears to be responsible for RansomHub’s infrastructure outage in late March 2025, which contributed to a significant fall in ransomware attacks in April.
https://www.infosecurity-magazine.com/news/dragonforce-turf-war-ransomware/
Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write, review, and edit code. Built using Anthropic's Claude models, the service was first launched in June 2023.
https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html