Major Incidents or Breaches

  • Hackers stole over $120 million from the Balancer DeFi crypto protocol by targeting its v2 pools.
  • A major breach at the Kansas City, Kansas, Police Department exposed a list of alleged officer misconduct, including dishonesty, sexual harassment, excessive force, and false arrests.
  • Everest ransomware group claimed responsibility for recent attacks, according to Check Point’s latest threat intelligence report.

Newly Discovered Vulnerabilities

  • XWiki (CVE-2025-24893): Exploit attempts have been observed against XWiki’s SolrSearch component, which allows arbitrary remote code execution. A patch was released in February.
  • Google Chrome: Two high-severity vulnerabilities in the V8 JavaScript engine (type confusion and inappropriate implementation) were disclosed, with Google awarding $100,000 in bug bounties.
  • Microsoft WSUS: An out-of-band update to patch an actively exploited Windows Server Update Service vulnerability has disabled hotpatching on some Windows Server 2025 systems.

Notable Threat Actor Activity

  • Lazarus Group targeted Web3 entities, using advanced tools and rapid exploitation of new vulnerabilities.
  • North Korea-linked Kimsuky group deployed a new backdoor, HttpTroy, disguised as a VPN invoice in a likely spear-phishing attack in South Korea.
  • Chinese APTs used new ‘Airstalk’ malware (PowerShell and .NET variants) in supply chain attacks, abusing AirWatch’s MDM API for C2 communication.
  • Cybercriminals are increasingly targeting logistics and freight networks by deploying remote monitoring and management (RMM) tools to hijack cargo and steal physical shipments.
  • Three former US cybersecurity professionals were indicted for conducting BlackCat (ALPHV) ransomware attacks against five US companies.
  • Ukrainian national Yuriy Igorevich Rybtsov (aka MrICQ) was extradited to the US to face charges related to the Jabber Zeus cybercrime operation.

Trends, Tools, or Tactics of Interest

  • AI Poisoning: New research indicates attackers can more easily poison AI models by introducing malicious data, increasing the risk of models producing harmful outputs.
  • Abuse of AI APIs: Microsoft identified the ‘SesameOp’ backdoor, which uses the OpenAI Assistants API as a covert C2 channel. Additionally, Claude AI APIs can be abused for data exfiltration via prompt injection.
  • Malicious VSCode Extensions: The ‘SleepyDuck’ remote access trojan was found in a fake Solidity extension on the Open VSX registry, using an Ethereum smart contract for C2.
  • Android Malware: BankBot-YNRK and DeliveryRAT trojans are actively stealing financial data from Android users, with BankBot-YNRK reportedly muting device alerts and draining cryptocurrency wallets, primarily targeting Indonesia.
  • TruffleNet Attack: Attackers use frameworks based on TruffleHog to leverage stolen credentials for AWS account compromise, leading to reconnaissance and business email compromise (BEC).
  • Device Code Phishing: Attackers are exploiting OAuth device flows, with significant differences in attack surfaces between Azure and Google.
  • Fake AI Apps: There is an increase in fake ChatGPT and AI-related apps in app stores, some containing adware or spyware.
  • SOC Operations: Security Operations Centers are increasingly overwhelmed by alert volumes, leading to a shift toward continuous exposure management and automation.
  • Generative AI in Malware Analysis: Generative AI is being used to accelerate reverse engineering of malware such as XLoader.

Regulatory or Policy Developments

  • OpenAI Safety Panel: A panel led by Zico Kolter at OpenAI now has the authority to halt the release of new AI systems if deemed unsafe.
  • Electrical Grid Security: Regulators and industry experts are advocating for the convergence of cyber and physical security strategies for the power grid, reflecting increased attack activity on critical infrastructure.