Major Incidents and Breaches

  • Marks & Spencer Cyberattack

    • Marks & Spencer, a major UK retailer, suffered a cyberattack resulting in widespread operational disruption and a projected profit loss of up to £300 million ($402 million). The company anticipates continued online disruptions until at least July.

  • Kettering Health Ransomware Attack

    • Kettering Health, a US healthcare network, experienced a ransomware attack leading to a system-wide outage and the cancellation of both inpatient and outpatient procedures.

  • Coinbase Data Breach

    • Cryptocurrency exchange Coinbase reported a data breach impacting 69,461 customers. Both customer and corporate data were stolen. Coinbase is offering a $20 million reward for information leading to the perpetrators.

  • Lumma Infostealer Disruption

    • Law enforcement agencies, with support from tech companies, disrupted the Lumma infostealer malware operation, seizing over 2,300 domains and dismantling a major malware-as-a-service infrastructure used globally.

Newly Discovered Vulnerabilities

  • Samlify SSO Critical Flaw

    • A critical authentication bypass vulnerability in Samlify allows attackers to impersonate admin users by injecting unsigned malicious assertions into otherwise signed SAML responses.

  • Unpatched Windows Server Flaw

    • A vulnerability in the delegated Managed Service Account (dMSA) feature of Windows Server, enabled by default, can be exploited to compromise Active Directory environments.

Notable Threat Actor Activity

  • Russian State-Sponsored Campaigns

    • Russian APT28 (Fancy Bear/Forest Blizzard) has been actively targeting Western logistics and technology firms since 2022 to disrupt and surveil aid routes to Ukraine, exploiting email and VPN vulnerabilities.

  • PureRAT Malware Campaign Targeting Russian Firms

    • A significant increase (4x in 2025) in PureRAT malware activity, with phishing campaigns targeting Russian businesses. These attacks are deploying both PureRAT and PureLogs malware.

  • Chinese APTs Intensify Activity in Latin America

    • Beijing-sponsored groups such as Vixen Panda and Aquatic Panda, alongside financially motivated Chinese cybercriminals, have increased attacks on organisations in Central and South America.

  • Industrial Ransomware Surge

    • Multiple industrial firms, including Unimicron and Presto, have recently been hit by ransomware attacks, indicating a rising trend in targeting the manufacturing and industrial sector.

  • 3AM Ransomware Tactics

    • The 3AM ransomware group is employing sophisticated social engineering, including spoofed IT support calls and email bombing, to obtain remote access credentials from employees.

Trends, Tools, and Tactics

  • Dero Miner Cryptojacking via Docker API

    • Ongoing cryptojacking campaigns are exploiting exposed Docker APIs to deploy Dero cryptocurrency miners in containerised environments.

  • Malicious Chrome Extensions

    • Over 100 malicious Chrome browser extensions have been discovered impersonating legitimate brands (e.g., Fortinet, YouTube, VPNs) to steal cookies and enable remote code execution.

  • Malware Delivery via Social Media Ads

    • Fake Facebook ads and pages promoting counterfeit Kling AI are being used to distribute RAT malware, potentially reaching over 22 million users.

  • Malicious PWA JavaScript Redirects

    • New campaigns are injecting malicious JavaScript into websites to redirect mobile users to fraudulent Chinese adult-content Progressive Web Apps.

  • CI/CD Pipeline Security

    • Increased focus on securing CI/CD workflows, with tools like Wazuh being highlighted for monitoring and protecting automated development pipelines.

  • Phishing Detection Tactics

    • Emphasis on rapid phishing detection, with case studies such as Tycoon2FA illustrating the effectiveness of proactive monitoring and response.

Regulatory and Policy Developments

  • EU Sanctions on Stark Industries

    • The European Union has imposed sanctions on the web-hosting provider Stark Industries and its leadership for facilitating destabilising cyberattacks.

  • Russia Mandates Tracking App for Foreigners

    • Russia has introduced a law requiring all foreign nationals in the Moscow region to install a government tracking application.

  • NIST ‘LEV’ Equation

    • The US National Institute of Standards and Technology (NIST) has introduced the ‘LEV’ equation, providing a mathematical model to assess the likelihood of a vulnerability being exploited, potentially enhancing vulnerability management and prioritisation.