VerSprite Weekly Threat Intelligence

Date Range: 03 March 2025 – 07 March 2025

Issue: 4th Edition

Security Triumphs of the Week

In a bold step against cyber threats, Google deployed AI-powered scam detection for Android, strengthening defenses against conversational fraud and phishing. The U.S. indicted multiple alleged Chinese hackers, sanctioning a company involved in cyber espionage, signaling a firm stance against state-backed cyber operations. Microsoft unmasked developers behind illicit AI tools used in deepfake scams, intensifying efforts to combat AI-driven fraud. Meanwhile, LibreOffice patched a critical vulnerability, preventing arbitrary script execution and securing document workflows. These developments underscore a multi-front cybersecurity push, combining legal action, AI-driven protection, and software security enhancements to counter evolving digital threats.

• International Authorities Shut Down Russian Crypto Exchange Linked to Ransomware Gangs
  International law enforcement agencies, including the US Secret Service, FBI, Europol, and others, have shut down the Russian cryptocurrency exchange Garantex, known for laundering ransomware profits. Previously linked to criminal transactions involving groups like Conti and Hydra, Garantex was targeted by US sanctions in 2022 and EU sanctions recently. American prosecutors have charged two individuals alleged to be the exchange’s administrators. The seizure is part of broader international efforts to disrupt ransomware and cybercrime networks.
  Read full article: The Register

• Google Rolls Out AI Scam Detection for Android
  Google has introduced AI-powered scam detection on Android devices to protect users from conversational fraud. The feature leverages machine learning to identify suspicious calls and messages, warning users before they fall victim to scams. It aims to reduce financial fraud and social engineering attacks, providing real-time alerts based on detected risks. This initiative is part of Google’s broader security efforts to enhance user protection. With the rising threat of AI-driven scams, this proactive approach can help mitigate risks and safeguard Android users worldwide.
  Read full article: The Hacker News

• U.S. Indicts Alleged Chinese Hackers for Cyber Espionage
  The U.S. Justice Department has indicted 10 Chinese nationals accused of conducting cyber espionage operations for over a decade. The suspects allegedly targeted government agencies, tech firms, and journalists, stealing sensitive data to support state-sponsored intelligence operations. Alongside the indictment, the U.S. sanctioned a Chinese firm linked to the hacking campaigns. This legal action highlights growing efforts to hold cybercriminals accountable and disrupt malicious cyber activities targeting Western nations.
  Read full article: Reuters

• LibreOffice Fixes Security Flaw Allowing Arbitrary Script Execution (CVE-2025-1080)
  LibreOffice has released an update to patch CVE-2025-1080, a security flaw that allowed attackers to execute arbitrary scripts on a victim’s system. The vulnerability, which affected multiple versions of the office suite, could have been exploited to run malicious code via specially crafted documents. By releasing a timely patch, LibreOffice has eliminated a potential attack vector, reinforcing its commitment to user security and software integrity. Users are urged to update their software immediately.
  Read full article: Security Online

• Microsoft Identifies Developers Behind AI-Powered Deepfake Tools
  Microsoft has named the developers behind illicit AI tools used to generate deepfake celebrity content. The company’s cybersecurity teams collaborated with law enforcement to track and expose these malicious actors, aiming to disrupt the growing threat of AI-generated misinformation. This effort reflects Microsoft’s commitment to ethical AI development and the prevention of fraudulent AI misuse. By identifying and holding developers accountable, Microsoft helps mitigate the risks associated with AI-driven cybercrime.
  Read full article: The Record

• Elastic Kibana Patches Critical Code Execution Vulnerability (CVE-2025-25015)
  A critical security flaw (CVE-2025-25015) in Elastic Kibana has been patched, preventing remote code execution attacks. The vulnerability, rated CVSS 9.9, posed a major risk to organizations using Kibana for data visualization. Attackers could have exploited the flaw to gain unauthorized access and execute malicious commands. By addressing the issue swiftly, Elastic has ensured the continued security and reliability of its platform for enterprises relying on Kibana.
  Read full article: Security Online

Security Setbacks of the Week

Recent cybersecurity trends highlight ransomware groups like Black Basta and Cactus adopting advanced malware such as BackConnect for persistent access. Intel 471 identifies threats including the sophisticated Anubis ransomware and state-sponsored actors like Seashell Blizzard (BadPilot campaign) exploiting widespread vulnerabilities. Over 37,000 VMware ESXi servers remain vulnerable to active exploitation, posing significant risks to global infrastructure. Additionally, North Korea’s Moonstone Sleet group is now leveraging Qilin ransomware, signaling evolving tactics among state-sponsored cyber attackers.

• Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
  Trend Micro reports that the Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their operations. This tool enables attackers to establish persistent remote access to compromised systems, facilitating data exfiltration and further malicious activities. Since October 2024, these groups have predominantly targeted organizations in North America and Europe, with the United States being the most affected, experiencing 17 breaches.
  Read full article: Trend Micro

• Intel 471’s March 2025 Cyber Threat Update
  Intel 471’s March 2025 Cyber Threat Update highlights several significant cyber threats:

  BadPilot Campaign: A subgroup within the Russian state-sponsored actor Seashell Blizzard has been exploiting vulnerabilities in widely used software since 2021, targeting sectors like energy and telecommunications.

  Black Basta Leaks: Leaked internal chat logs from the Black Basta ransomware group reveal their tactics, including exploiting known vulnerabilities and using tools like Cobalt Strike. Key figures within the group have been identified.

  Anubis Ransomware: Emerging in late 2024, Anubis operates under a Ransomware-as-a-Service model, targeting multiple systems and employing double extortion tactics.

  Ghost Ransomware: Active since early 2021, Ghost ransomware exploits outdated software and firmware, affecting organizations across over 70 countries.

  Auto-Color Linux Backdoor: A new Linux backdoor, Auto-Color, has been targeting universities and government organizations across North America and Asia.

  Lotus Blossom: Active since at least 2012, the Lotus Blossom espionage group targets sectors like government and telecommunications in Southeast Asia, using new Sagerunex variants that leverage legitimate third-party cloud services.
  Read full article: Intel 471

• Over 37,000 VMware ESXi Servers Vulnerable to Ongoing Attacks
  BleepingComputer reports that over 37,000 internet-exposed VMware ESXi servers are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw actively exploited in the wild. Despite warnings and available patches, many servers remain unpatched, leaving them susceptible to attacks.
  Read full article: Bleeping Computer

• North Korean Hackers Deploying Qilin Ransomware
  According to BleepingComputer, Microsoft has observed Moonstone Sleet, a North Korean state-sponsored actor, deploying Qilin ransomware in recent attacks. This marks the first instance of this group using ransomware developed by a Ransomware-as-a-Service operator, indicating a shift in their tactics.
  Read full article: Bleeping Computer

The New Emerging Threats

In a rapidly evolving threat landscape, cybercriminals are deploying more sophisticated and stealthy tactics to compromise critical systems. Desert Dexter enhances AsyncRAT for stealthier persistence, while a new PyPI malware silently drains Ethereum wallets by stealing private keys. The Eleven11bot botnet weaponizes 86,000 IoT devices, orchestrating large-scale DDoS attacks. Operation Sea Elephant intensifies its espionage efforts against research and government institutions in South Asia. Meanwhile, UNK_CraftyCamel leverages polyglot malware in precision phishing attacks, and Njrat exploits Microsoft Dev Tunnels for covert command-and-control operations. These developments underscore the growing sophistication of cyber threats, highlighting an urgent need for enhanced security measures and proactive threat intelligence.

• New Desert Dexter Drops Modified AsyncRAT
  The Desert Dexter malware has been observed using a modified version of AsyncRAT to infiltrate targeted systems. It employs obfuscation techniques and leverages legitimate remote access tools to gain persistence and exfiltrate sensitive data. The malware primarily targets enterprise environments, disguising itself as a benign software update to avoid detection. Researchers warn that its stealth tactics make it particularly dangerous for organizations with weak endpoint defenses. Threat actors are distributing it via phishing campaigns, exploiting user trust to execute its malicious payload.
  Read full article: CyberPress

• New PyPI Malware Steals Ethereum Private Keys
  A new malicious Python package, set-utils, has been identified in the PyPI repository, targeting Ethereum wallets. The malware, designed to steal private keys, masquerades as a legitimate package to trick Python developers into downloading it. Once installed, it searches for wallet files and exfiltrates sensitive information to a remote server. The campaign highlights the ongoing risks of supply chain attacks via open-source repositories. Security experts urge developers to verify package authenticity before installation.
  Read full article: Developer Tech

• Eleven11bot: New Botnet Compromises 86,000 Devices
  The Eleven11bot botnet has infected over 86,000 IoT devices, primarily security cameras and network video recorders. It has been observed conducting large-scale DDoS attacks against telecommunications and gaming servers. Researchers believe the botnet operators exploit default credentials and weak passwords to gain control over vulnerable devices. Most infections have been detected in the United States, Canada, and the UK. Security teams are advised to enforce strong credentials and disable unnecessary remote access to mitigate risk.
  Read full article: Cybersecurity Dive

• Operation Sea Elephant Cyberespionage Campaign
  A sophisticated cyber-espionage campaign, dubbed Operation Sea Elephant, has been targeting research institutions, universities, and government agencies in South Asia. The attack begins with phishing emails containing malicious attachments, exploiting trust within academic and scientific communities. Once inside a network, attackers use custom plug-ins and trojans to exfiltrate sensitive data. The campaign is believed to be linked to state-sponsored actors focusing on long-term surveillance and intelligence gathering.
  Read full article: CyberPress

• UNK_CraftyCamel Drops Polyglot Malware
  A newly identified threat actor, UNK_CraftyCamel, is deploying polyglot malware designed to evade detection by disguising itself as multiple file formats. The attack involves sophisticated phishing campaigns that deliver multi-stage payloads, making it difficult for traditional signature-based security tools to detect. This advanced malware technique enables cybercriminals to bypass email security and endpoint protection solutions. Researchers warn that this method could increase the success rate of phishing-based malware infections.
  Read full article: Proofpoint

• Njrat Exploits Microsoft Dev Tunnels
  A new campaign leveraging Njrat malware has been identified, exploiting Microsoft’s Dev Tunnels for Command and Control (C2) communication. This variant can spread via USB devices and establish a persistent backdoor on infected systems. By abusing legitimate Microsoft services, attackers can bypass traditional network defenses. Security researchers recommend restricting USB access, monitoring for suspicious Dev Tunnel connections, and deploying behavior-based detection to mitigate this threat.
  Read full article: GBHackers

In-Depth Expert CTI Analysis

The past week’s developments reveal a clear pattern of escalation in both state-sponsored cyber operations and organized cybercrime, highlighting the growing overlap between geopolitical objectives and financial motivations. This convergence points to a shift in the threat landscape where state actors are increasingly leveraging criminal infrastructure and tactics to achieve strategic goals while organized crime groups benefit from the resources and protection offered by state sponsorship.

Strategic Convergence of State-Sponsored and Criminal Cyber Activity

The indictment of Chinese hackers for long-term espionage, combined with North Korea’s Moonstone Sleet deploying Qilin ransomware, underscores how state-sponsored groups are now adopting tactics typically associated with criminal enterprises. The transition to ransomware-as-a-service (RaaS) models by nation-states reflects a strategic shift toward scalable, profit-driven operations that simultaneously advance intelligence-gathering and financial disruption objectives.

The takedown of Garantex illustrates that financial infrastructure remains a key enabler of both state and non-state cyber operations. The successful international collaboration behind this action signals that law enforcement agencies are moving beyond reactive measures and into strategic disruption of cybercriminal supply chains. However, as with previous takedowns (e.g., Hydra), threat actors are likely to shift to alternative, more resilient platforms- potentially increasing reliance on decentralized finance (DeFi) and privacy coins to evade future sanctions.

Tactical and Operational Implications

1. Persistence and Lateral Movement – The adoption of BackConnect malware by Black Basta and Cactus demonstrates a clear move toward maintaining long-term access to compromised networks. This suggests that threat actors are no longer focusing solely on quick payouts but are instead embedding themselves within networks to enable secondary extortion, espionage, and long-term disruption.
2. Blending of Criminal and State Tactics – The Moonstone Sleet-Qilin connection indicates that state actors are adopting criminal techniques to generate operational funding and strategic leverage. This hybrid approach complicates attribution and response, as defenders must now treat criminal and state activity as part of a single, interconnected threat model.
3. AI and Deepfake Threats – Microsoft’s exposure of deepfake developers points to a rising threat where AI-generated misinformation and impersonation will be weaponized for both financial fraud and strategic influence operations. Future operations may combine AI-generated media with traditional phishing and social engineering to enhance credibility and psychological manipulation.
4. Supply Chain and Zero-Day Exploits – The Eleven11bot botnet’s compromise of over 86,000 devices and the PyPI Ethereum wallet theft highlight the growing focus on supply chain and IoT vulnerabilities. The increasing reliance on open-source repositories and interconnected infrastructure creates a larger attack surface, with adversaries exploiting the weakest link in the supply chain.

Why It’s Happening

From an intelligence perspective, the increasing overlap between state-sponsored and criminal activity reflects the strategic benefits of this model:

• Plausible Deniability: State actors can mask operations as criminal activity to avoid direct attribution and political fallout.

• Resource Efficiency: Criminal groups provide ready-made infrastructure and expertise, reducing operational costs for state-backed campaigns.

• Diversification of Revenue Streams: Ransomware and financial fraud provide funding for sustained state-sponsored campaigns, making them more self-sufficient.

The blending of espionage and financial crime also reflects geopolitical tensions and economic pressures. With China and North Korea facing increased sanctions and trade restrictions, cyber operations offer both a strategic and economic lifeline. The expansion of AI-driven scams and deepfake technology suggests that psychological manipulation and influence operations will become more central to future campaigns.

Future Predictions and Strategic Outlook

1. Increased Use of AI for Targeted Social Engineering: AI-driven scams and deepfakes will likely evolve to target high-value individuals and institutions. Expect to see AI-generated voices and faces used to bypass biometric and identity-based security measures.
2. Expansion of Ransomware-as-a-Service by State Actors: North Korea’s adoption of Qilin ransomware signals that more nation-states will outsource ransomware campaigns to criminal groups to fund intelligence operations. RaaS platforms may begin offering more specialized, tailored attack models for state clients.
3. Geopolitical Cyber Conflict Targeting Critical Infrastructure: State-backed campaigns are likely to target energy grids, telecommunications, and public sector networks. The success of Operation Sea Elephant in targeting research institutions suggests that intellectual property theft and sabotage will remain key strategic objectives.
4. Financial Disruption and New Laundering Techniques: The takedown of Garantex will drive threat actors to more anonymous and decentralized financial platforms. Expect a rise in privacy coin adoption and the use of decentralized exchanges to bypass sanctions and laundering controls.

Recommendations and Defensive Strategy

1. Harden Supply Chain Security: Implement stricter code signing policies, monitor open-source dependencies, and enforce software composition analysis (SCA) to mitigate supply chain attacks.
2. Enhance AI-Based Threat Detection: Deploy AI-powered monitoring to detect social engineering attempts and deep-fake-based manipulation.
3. Improve Network Segmentation and Lateral Movement Defenses: BackConnect’s adoption highlights the need for strict access controls and behavioral-based monitoring to detect persistence.
4. Monitor Cryptocurrency and Financial Flows: Expand collaboration with financial institutions and blockchain analytics firms to trace and disrupt illicit financial networks.
5. Develop State-Level Cyber Defense Frameworks: The blending of state and criminal tactics requires national-level defensive strategies that combine military, intelligence, and financial sector expertise.

Conclusion

The cyber threat landscape is evolving into a complex ecosystem where state and criminal actors are increasingly collaborating and adopting each other’s tactics. Future defense strategies will require a holistic, adaptive approach that combines technical resilience, geopolitical awareness, and operational agility. The next phase of cyber conflict will not be fought solely on technical grounds- it will be shaped by economic and political pressures, with AI and ransomware serving as key operational weapons.

Subscription & Additional Resources

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite