Major Incidents or Breaches

  • ConnectWise experienced a breach attributed to a “sophisticated nation state actor,” with subsequent targeting of ScreenConnect customers. Details remain limited.
  • Law enforcement took down AVCheck, an online service used by cybercriminals to test malware against commercial antivirus solutions prior to deployment.

Newly Discovered Vulnerabilities

  • Two critical vulnerabilities were identified in vBulletin forum software, with one confirmed as being actively exploited in the wild.
  • The Q1 2025 vulnerability and exploit report highlights ongoing high rates of published exploits, with notable vulnerabilities in SAP NetWeaver and Microsoft SQL Server among those actively targeted.
  • A PNG image was discovered containing concatenated payloads, demonstrating the continued use of file format manipulation for payload delivery.

Notable Threat Actor Activity

  • A China-linked threat actor has been exploiting critical flaws in SAP NetWeaver and Microsoft SQL Server in attacks across Asia and Brazil. The group, also referred to as “Earth Lamia,” is actively targeting exposed servers in sensitive sectors to steal data.
  • The German Federal Criminal Police Office (BKA) publicly identified “Stern,” the alleged leader of the Trickbot and Conti ransomware groups, as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national.
  • A new malware campaign is distributing EDDIESTEALER, a Rust-based information stealer that bypasses Chrome’s app-bound encryption to exfiltrate browser data. The campaign leverages fake CAPTCHA verification pages (ClickFix) for social engineering.
  • The U.S. Department of Treasury and FBI sanctioned Funnull Technology Inc., a Philippines-based company, for orchestrating $200 million in romance and cryptocurrency fraud scams, reportedly costing Americans billions annually.

Trends, Tools, or Tactics of Interest

  • Threat actors continue to exploit known vulnerabilities in widely used enterprise software (e.g., SAP, SQL Server, vBulletin) soon after disclosure.
  • Social engineering tactics, such as fake CAPTCHA pages, remain prominent in malware delivery campaigns.
  • Cybercriminals leverage online AV scanning services like AVCheck to refine malware evasion techniques.
  • There is increasing use of Rust for new malware families, as seen with EDDIESTEALER.
  • Pentera’s 2025 State of Pentesting report indicates attackers are focusing on specific high-value assets, with security teams facing challenges in prioritising remediation.
  • AI coding agents and tools are being rapidly adopted despite 96% of IT professionals acknowledging associated security risks, raising concerns about their potential to introduce vulnerabilities into software development and open source projects.

Regulatory or Policy Developments Affecting the Security Industry

  • The U.S. Treasury’s OFAC sanctions against Funnull Technology Inc. represent a continued policy focus on disrupting large-scale cyber-enabled financial fraud operations.
  • Law enforcement’s takedown of AVCheck demonstrates increased international collaboration targeting cybercrime-enabling infrastructure.