Major Incidents or Breaches

  • Pearson Data Breach: Education giant Pearson suffered a cyberattack resulting in the theft of corporate and customer data.
  • Insight Partners Breach: Venture capital firm Insight Partners confirmed sensitive employee and investor data was stolen in a January 2025 cyberattack.
  • Toronto School District Ransomware: Toronto’s school district paid a ransom believing stolen data would be deleted; however, the data was not removed as promised.
  • Supply Chain Attacks on Open Source Packages:
    • The npm package ‘rand-user-agent’ (45,000 weekly downloads) was compromised to deliver a remote access trojan (RAT).
    • A malicious PyPI package targeting Discord developers was found to be distributing RAT malware since 2022.
  • Kickidler Software Abused: Ransomware operators are leveraging legitimate Kickidler employee monitoring software for post-compromise reconnaissance and credential harvesting.

Newly Discovered Vulnerabilities

  • SonicWall SMA 100 Flaws: Three vulnerabilities (including one actively exploited) in SonicWall SMA 100 appliances allow remote code execution as root. Patches have been released, and urgent remediation is advised.
  • Cisco IOS XE Critical Flaw: Cisco patched a maximum severity vulnerability in IOS XE Software for Wireless LAN Controllers, which allowed unauthenticated remote takeover via a hard-coded JWT.
  • SAP NetWeaver RCE (CVE-2025-31324): Chinese threat actors (Chaya_004) are actively exploiting this recent SAP NetWeaver remote code execution flaw.
  • End-of-Life Routers Compromised: The FBI warned that threat actors are compromising end-of-life routers to build proxy networks for cybercrime.

Notable Threat Actor Activity

  • Qilin Ransomware Surge: Qilin ransomware was the most prolific in April 2025, responsible for 72 data leak disclosures. Operators are using SmokeLoader and a new .NET loader (NETXLOADER).
  • Chinese APT (Chaya_004): Actively exploiting SAP NetWeaver RCE to deploy Golang-based SuperShell malware.
  • Russian State-Linked ColdRiver Group: Deploying new LostKeys data theft malware in espionage campaigns targeting Western governments, journalists, and think tanks.
  • MirrorFace Espionage: The MirrorFace group is targeting Japanese and Taiwanese government/public sector organisations with upgraded ANEL and new ROAMINGMOUSE malware.
  • Phishing Operations:
    • Industrial-scale crypto phishing operation using over 38,000 FreeDrain subdomains to steal wallet seed phrases.
    • CoGUI phishing kit targeting Japanese organisations with sophisticated detection-evasion capabilities.

Trends, Tools, or Tactics of Interest

  • Phishing Kits Bypassing MFA: Ongoing evolution of phishing kits with features designed to bypass multi-factor authentication, increasing risk to organisations relying on MFA alone.
  • Abuse of Legitimate Tools: Ransomware actors are increasingly using legitimate employee monitoring software (e.g., Kickidler) for internal reconnaissance and credential theft post-breach.
  • Open Source Supply Chain Risk: Continued targeting of popular npm and PyPI packages to deliver malware, highlighting persistent risks in software supply chains.
  • Email-Based Attacks Dominate Claims: Business email compromise and funds transfer fraud accounted for 60% of 2024 cyber-insurance claims, underscoring the prevalence and impact of email-based attacks.
  • Proxy Networks via EoL Routers: Threat actors are exploiting outdated routers to create large-scale proxy networks used in cybercrime infrastructure.
  • DDoS-for-Hire Disruption: International law enforcement (Operation PowerOFF) took down nine DDoS-for-hire domains, reflecting ongoing efforts to disrupt cybercrime services.

Regulatory or Policy Developments

  • CVE Database Concerns: Industry discussion is intensifying around the future and timeliness of the CVE vulnerability database, with calls for reform to address delays and improve vulnerability coordination.
  • Leadership Change at FBI Cyber Division: The head of the FBI’s Cyber Division, Bryan Vorndran, is expected to retire, potentially impacting US cyber policy and enforcement priorities.