HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 14 April 2025 – 18 April 2025

Issue: 10th Edition

Security Triumphs of the Week

This week showcased several proactive wins in cybersecurity. Google blocked over 5.1 billion harmful ads in 2024, tackling AI-powered scams head-on. Microsoft strengthened user security by disabling risky ActiveX controls in Office 365 and 2024. MITRE’s CVE contract was extended just in time, ensuring continued vulnerability coordination. ASEAN nations made strides in digital safety by aligning legal and enforcement frameworks. CISA also released critical guidance to protect against legacy Oracle Cloud credential risks, helping organizations fortify cloud defenses.

Google Blocked 5.1 billion Harmful Ads in 2024
Google’s 2024 ad safety report revealed that the company blocked over 5.1 billion malicious ads and suspended 12.7 million advertiser accounts. A major contributor to this surge was the increasing use of AI-driven scams, including deepfakes and crypto fraud. Google enhanced its detection algorithms and implemented 30 new policies to counter evolving threat tactics. The Transparency Center initiative continues to provide visibility into ad enforcement practices, ensuring a safer browsing experience.
Read full article: TechRadar

Cybersecurity in the AI Era: Evolve Faster Than the Threats or Get Left Behind
As cybercriminals rapidly adopt AI and LLMs for automated attacks, defenders must also evolve. This article highlights the urgent need for AI-driven cybersecurity tools capable of real-time threat detection, contextual awareness, and autonomous response. Organizations are urged to invest in data-centric security strategies and develop skilled teams capable of navigating the complex AI threat landscape. Staying ahead of adversaries requires both technological agility and operational readiness.
Read full article: The Hacker News

MITRE CVE Contract Extended Just Before Expiration
MITRE’s contract to manage the Common Vulnerabilities and Exposures (CVE) system was officially extended just days before its scheduled expiration. The decision averts potential disruptions in the vulnerability disclosure ecosystem, which relies heavily on CVEs for tracking and coordination. MITRE’s continued stewardship ensures consistency and supports the growing need for standardized vulnerability identifiers across the cybersecurity industry.
Read full article: The Cyber Express

Toward a Safer Digital ASEAN: Building Legal and Law Enforcement Synergy
ASEAN nations are working to bolster cybersecurity by enhancing legal harmonization and fostering cross-border law enforcement collaboration. The initiative focuses on improving cybercrime investigation capabilities, aligning regulations, and establishing shared frameworks for threat intelligence. As regional cyber threats rise, ASEAN aims to create a unified digital defense strategy supported by international partnerships and institutional capacity building.
Read full article: The Cyber Express

Microsoft to Disable ActiveX Controls in Office 365 and 2024
Microsoft is making a critical security change by disabling ActiveX controls by default in Microsoft 365 and Office 2024. ActiveX has long been a favoured target for attackers deploying malware through malicious Office documents. This change reflects Microsoft’s commitment to reducing attack surfaces and protecting users from legacy threats. The shift is part of a broader modernization effort in Office security.
Read full article: BleepingComputer

CISA Releases Guidance on Oracle Cloud Credential Risks
CISA has issued an alert addressing credential exposure risks in legacy Oracle Cloud environments. The advisory warns of misconfigurations that may allow unauthorized access to sensitive cloud resources. Organizations using older Oracle setups are advised to rotate credentials, remove inactive accounts, and implement least-privilege principles. Enhanced monitoring and logging are also recommended to mitigate exploitation risks.
Read full article: CISA

Security Setbacks of the Week

This week marked a surge in high-impact cyberattacks and strategic intrusions across multiple sectors. The Ghost ransomware group intensified its operations against manufacturing, education, and critical infrastructure, employing sophisticated post-exploitation techniques. Chinese state-backed actors, including APT41, were linked to ongoing cyber-espionage campaigns leveraging KeyPlug malware and compromised infrastructure. Widespread exploitation of vulnerable VPNs and firewalls exposed small-to-midsize businesses to deep network infiltration risks. The FBI’s IC3 report underscored a sharp rise in cybercrime losses—hitting $12.5B in 2024—driven largely by BEC, investment scams, and ransomware affecting core public services. Meanwhile, CYFIRMA flagged a coordinated rise in state-sponsored campaigns, highlighting the global scale and persistence of threat actor operations. Together, these incidents reflect the evolving threat landscape and underscore the urgent need for proactive patching, credential hygiene, and layered defense.

Ghost Ransomware Targets Critical Infrastructure and Education Sectors
The Ghost ransomware gang has launched targeted attacks on organizations in the manufacturing, education, and critical infrastructure sectors. Utilizing Cobalt Strike, AnyDesk, and living-off-the-land binaries, attackers gain persistence and lateral movement before deploying payloads. Victims face data encryption and extortion tactics involving stolen file leaks.
Read full article: GBHackers

KeyPlug Malware Found on Compromised Command Server
A sophisticated KeyPlug malware variant linked to Chinese threat actor APT41 was discovered on a compromised command server. This strain is used for espionage and lateral movement within enterprise networks, often bypassing traditional detection tools. Researchers emphasize the use of stealthy encrypted communications and modular payloads to evade defense.
Read full article: GBHackers

Exploitation of Network Edge Devices to Breach SMB Networks
New findings show attackers are increasingly exploiting vulnerabilities in network edge devices—especially VPNs and firewalls—as a gateway into SMB networks. These devices are often under-patched and exposed, making them a soft target for initial access and staging malware like remote access trojans (RATs).
Read full article: Infosecurity Magazine

FBI Reports $12.5B in Cybercrime Losses in 2024
The FBI’s Internet Crime Complaint Center (IC3) report reveals a staggering $12.5 billion in losses last year, with Business Email Compromise (BEC) and investment scams leading the pack. Ransomware continues to plague critical services, with over 2,800 complaints from educational and infrastructure organizations.
Read full article: IC3.gov

CYFIRMA Flags Escalating Cyber Campaigns by State-Backed Threat Actors
CYFIRMA’s latest intelligence outlines heightened activity from nation-state actors, especially from China, targeting critical infrastructure across APAC and the US. Threat actors are weaponizing leaked credentials and exploiting unpatched systems to plant malware and conduct surveillance.
Read full article: CYFIRMA

The New Emerging Threats

Multiple nation-state APTs escalated activity this week. Mustang Panda debuts stealthy backdoors and AV-killing tools, while UNC5174 hits Linux with fileless malware using WebSockets for C2. Fake PDF converters are spreading SectopRAT malware via cloned sites and fake CAPTCHAs. Slow Pisces targets crypto developers with LinkedIn lures and macOS-stealing malware. APT29 returns with a wine-themed phishing trap targeting diplomats, and Ghost ransomware surges globally, hitting 70+ countries with double extortion tactics.

Mustang Panda Expands Arsenal
Chinese APT group Mustang Panda has unveiled a revamped version of its ToneShell backdoor, emphasizing stealth and evasion. The campaign introduces new tools like StarProxy for lateral movement and keyloggers Paklog and Corklog for data harvesting. Delivered through the SplatDropper, the campaign also uses a driver named SplatCloak to disable popular antivirus products. The use of a FakeTLS protocol further helps evade detection during C2 communication.
Read full article: SecurityWeek

UNC5174 Targets Linux with Fileless Malware
Chinese APT group UNC5174 has been conducting a stealthy campaign since late 2024, targeting Linux systems using fileless malware. The attack leverages SNOWLIGHT and a new VShell RAT, delivered via bash scripts and operating without leaving a footprint on disk. WebSockets are used for command-and-control, signaling high operational sophistication. The activity indicates a mix of cyber espionage and access brokering.
Read full article: The Hacker News

Beware! Online PDF Converters Delivering Malware
A new phishing campaign is mimicking the legitimate site pdfcandy[.]com to lure users into installing SectopRAT malware. Victims are deceived via fake CAPTCHAs and cloned interfaces into running PowerShell commands that download a ZIP file containing a password-stealing variant of ArechClient2. The malware uses MSBuild for stealth execution and steals credentials and sensitive information from infected machines.
Read full article: CyberPress

Slow Pisces Targets Cryptocurrency Developers
North Korean APT group “Slow Pisces” is targeting cryptocurrency developers through LinkedIn recruitment lures. The group sends fake coding challenges embedded with malware, including RN Loader and RN Stealer. These payloads are carefully delivered only to validated victims using filters like IP and geolocation. Once infected, the malware harvests credentials and sensitive data, especially from macOS systems.
Read full article: Unit 42 – Palo Alto Networks

Renewed APT29 Phishing Campaign Targets Diplomats
APT29, linked to Russian intelligence, has launched a new spear-phishing campaign targeting European diplomatic entities. Disguised as a wine-tasting event, the emails contain GRAPELOADER, a loader that delivers an updated version of the WINELOADER backdoor. This modular malware supports stealthy operations, including data collection and persistence, showcasing the group’s continued focus on cyberespionage.
Read full article: Check Point Research

In-Depth Expert CTI Analysis

The Summary

This week showed a sharp rise in complex cyberattacks, including targeted ransomware, stealthy malware campaigns, and state-backed intrusions. At the same time, security teams and governments made progress in reducing risks through cloud security updates, ad fraud prevention, and legal coordination. The overall picture highlights the need for organizations to act quickly, stay updated, and use layered defenses to stay ahead of evolving threats.

Proactive Defense and Strategic Foresight

There were several important defensive actions taken this week:

Google blocked over 5.1 billion harmful ads in 2024, reducing risks from AI-based scams and fake content.

Microsoft is disabling ActiveX controls in Office 365 and Office 2024, removing a long-time method used by attackers.

CISA released guidance on risks in older Oracle Cloud setups, helping organizations secure sensitive data.

ASEAN nations are working together on cybersecurity laws and enforcement, which will help fight cross-border cybercrime.

MITRE’s contract to manage CVE (Common Vulnerabilities and Exposures) was extended, which keeps vulnerability reporting stable.

These efforts show that defenders are making progress, but more work is needed as attackers also become smarter and faster.

Evolving Ransomware and Malware Tactics

Attackers are using new methods to avoid detection and maximize impact:

Ghost ransomware is spreading to more countries and using common tools like Cobalt Strike and AnyDesk to move through networks quietly.

Mustang Panda, a Chinese group, is using new backdoors and antivirus-disabling tools to stay hidden longer inside systems.

UNC5174 is targeting Linux servers with fileless malware that doesn’t leave traces on disk, making it harder to find.

North Korea’s group “Slow Pisces” is tricking cryptocurrency developers through fake job offers and malware disguised as coding tests.

Cybercriminals are creating fake PDF converter websites that trick users into downloading malware like SectopRAT, which steals login information.

These attacks use a mix of social engineering, trusted tools, and quiet methods to bypass traditional defenses.

State-Sponsored and Organized Cybercrime Convergence

Several government-linked threat groups were active this week:

APT41, linked to China, used KeyPlug malware and command servers to carry out spying operations.

APT29, connected to Russian intelligence, sent fake wine-tasting event emails to diplomats that contained malware.

North Korean actors targeted developers and cryptocurrency platforms to collect sensitive data and money.

These campaigns show how governments are using cyber operations not just for spying, but also for financial and political purposes, often using criminal techniques.