Major Incidents and Breaches

  • SonicWall SMA100 Exploitation

    • SonicWall has confirmed active exploitation of two now-patched vulnerabilities in its SMA100 Secure Mobile Access appliances. Attackers are targeting unpatched systems in the wild.

  • UK Retailer Co-op Cyberattack

    • Co-op Food, a major UK supermarket chain, experienced limited operational disruption after a cyberattack, prompting the shutdown of some IT systems.

  • Ascension Healthcare Data Breach

    • Ascension, a large US healthcare provider, is notifying patients of a data breach stemming from a December 2024 third-party hacking incident, with personal and health information stolen.

  • Commvault Azure Breach

    • Data protection firm Commvault reported a breach of its Azure environment by a nation-state actor but stated customer backup data was not impacted.

  • Phishing Platform LabHost Takedown

    • The FBI released a list of 42,000 phishing domains tied to the dismantled LabHost phishing-as-a-service (PhaaS) operation, one of the largest of its kind.

  • RansomHub Ransomware Group Offline

    • The RansomHub ransomware-as-a-service operation’s infrastructure has gone dark since 1 April 2025, causing affiliates to migrate to other groups such as Qilin and DragonForce.

Newly Discovered Vulnerabilities and Exploitation

  • SonicWall SMA100 Flaws

    • Multiple vulnerabilities in SonicWall’s SMA100 appliances are being actively exploited. Patches are available, but unpatched systems remain at risk.

  • WordPress Plugin Backdoor

    • A malware campaign is distributing a malicious WordPress plugin disguised as a security tool, which injects a backdoor onto compromised sites.

  • AI Prompt Injection in Model Context Protocol (MCP)

    • Researchers have demonstrated that MCP is susceptible to prompt injection attacks, which can be leveraged for both offensive and defensive purposes in AI systems.

  • Windows 11 Update Issues

    • Microsoft confirmed that Windows 11 24H2 updates via WSUS are failing after recent security updates, though this appears to be an operational rather than security vulnerability.

Notable Threat Actor Activity

  • TheWizards APT (China-Aligned)

    • TheWizards APT group is abusing IPv6 SLAAC features to launch adversary-in-the-middle (AitM) attacks, hijacking software updates to distribute Windows malware, particularly targeting Asian gambling sectors. Their Spellbinder tool facilitates lateral movement and AitM operations.

  • Nebulous Mantis (Russian-speaking)

    • The Nebulous Mantis group has targeted NATO-linked entities with multi-stage malware attacks using the RomCom RAT since mid-2022.

  • Billbug (Lotus Panda) – China-Linked

    • Billbug has expanded cyber-espionage operations in Southeast Asia, deploying custom malware against government and private sector targets.

  • DarkWatchman Malware Resurgence

    • Hive0117, a financially motivated group, is conducting attacks against Russian industries using a retooled version of the DarkWatchman malware.

  • Scattered Spider Arrest

    • A suspected member of the Scattered Spider group was extradited from Spain to the US to face cybercrime charges.

  • North Korean IT Worker Infiltration

    • North Korea continues to covertly place IT workers in Western organisations, leveraging AI tools to enhance the effectiveness and stealth of their operations.

Trends, Tools, and Tactics

  • Infostealer Surge via Phishing

    • IBM X-Force reports an 84% year-on-year increase in infostealer malware delivered through phishing emails, underlining the growing threat from credential theft.

  • Phishing Campaigns Leveraging Current Events

    • Threat actors are exploiting crises such as the Iberian blackout by impersonating national airlines and offering compensation to lure victims.

  • DHS Impersonation for Phishing

    • Cybercriminals are impersonating the US Department of Homeland Security in phishing campaigns, exploiting fear around deportation efforts.

  • Customer Account Takeovers

    • Account takeover attacks remain a significant and costly issue, with attackers leveraging phishing and credential theft to compromise consumer and enterprise accounts.

  • AI Risks: Code Hallucinations & Deepfake Impersonation

    • AI-generated code is increasingly prone to ‘package confusion’ attacks due to hallucinated dependencies, raising supply chain risks.
    • AI-powered threats such as deepfakes and impersonation scams are becoming more prevalent, targeting identity systems.

  • Malicious Plugins and Supply Chain Risks

    • The use of malicious plugins, especially in widely used platforms like WordPress, highlights ongoing supply chain threats to web infrastructure.

Regulatory and Policy Developments

  • CISA Restructuring Delays

    • The release of the US Cybersecurity and Infrastructure Security Agency (CISA) restructuring plan is delayed due to internal hurdles and leadership changes.

  • WhatsApp vs NSO Group Legal Proceedings

    • Meta’s lawsuit against NSO Group over Pegasus spyware use is progressing, with experts predicting significant financial damages but ongoing concern about spyware proliferation.

  • Critical Infrastructure Security Challenges

    • DARPA and other US federal research agencies highlighted persistent challenges in securing critical infrastructure at RSAC 2025.

  • DHS and CISA Leadership Statements

    • US Department of Homeland Security and CISA leadership are calling for a renewed focus on efficiency and mission alignment within the agency.

Other Noteworthy Developments

  • WhatsApp ‘Private Processing’

    • WhatsApp introduced ‘Private Processing,’ a privacy-preserving technology enabling secure cloud-based AI features.

  • AI Content Detection

    • AI content detectors are reportedly becoming more reliable, supporting efforts to distinguish synthetic from human-generated content.

  • Secure Browser Recommendations

    • New expert reviews of secure browsers highlight evolving privacy and security features for end-user protection.