VerSprite Weekly Threat Intelligence

Date Range: 05 May 2025 – 09 May 2025

Issue: 13th Edition

Security Triumphs of the Week

This week marked a powerful stand against cyber threats, with global law enforcement and government agencies delivering heavy blows to cybercriminal infrastructure. Europol dismantled six major DDoS-for-hire services, while U.S. and Dutch forces took down a massive 7,000-device IoT botnet. The LockBit ransomware gang suffered a major breach of its admin panel, exposing internal secrets. The Pentagon launched offensive cyber ops targeting transnational crime, and the Black Kingdom ransomware admin was finally indicted.

• Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks
  Europol, in collaboration with international law enforcement, successfully dismantled six major DDoS-for-hire platforms that enabled cyberattacks across the globe. The services were used by thousands of customers to launch attacks against businesses, public infrastructure, and private networks. The takedown is part of Operation PowerOFF, which has been targeting such services since 2018. Authorities also seized related domains and infrastructure, and investigations continue to identify platform users. This marks a significant win against the cybercrime-as-a-service ecosystem.
  Read full article: Thehackernews

• LockBit Ransomware Admin Panel Hacked, Leaks Reveal Inside Details
  In a major breach of the cybercriminal world, an unknown actor has compromised the admin panel of the LockBit ransomware group, leaking sensitive internal data. The leak reveals details about LockBit’s affiliate management, ransomware builds, negotiations, and revenue. This rare insider-level access offers law enforcement and security researchers critical intelligence into the group’s operations. It further destabilizes LockBit, which has already suffered reputational and operational setbacks in 2024–2025.
  Read full article: Securityweek

• Pentagon Deploys Offensive Cyber Ops to Target Criminal Orgs, Bolster Border Security
  The U.S. Department of Defense has authorized offensive cyber operations aimed at disrupting criminal cartels and trafficking networks impacting southern border security. These operations, carried out by U.S. Cyber Command, signal a shift toward proactive disruption of digitally enabled organized crime. Officials confirmed that these cyber strikes have already degraded cartel communications and logistics. This approach reflects growing recognition of cyber capabilities as part of national defense and law enforcement strategy.
  Read full article: Breakingdefense

• US Authorities Indict Black Kingdom Ransomware Admin
  The U.S. Department of Justice has officially indicted the alleged administrator of the Black Kingdom ransomware group, which targeted organizations globally with encryption-based extortion. The suspect is accused of deploying ransomware, stealing data, and demanding cryptocurrency payments from victims between 2020 and 2023. The indictment is a key legal milestone, reinforcing the U.S. commitment to holding cybercriminals accountable, even when operating abroad. This builds on recent momentum against ransomware actors.
  Read full article: Securityaffairs

• BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S.-Dutch Operation
  A joint operation between U.S. and Dutch authorities has dismantled a massive 7,000-device proxy botnet made up of IoT devices and end-of-life (EoL) systems. The infrastructure was being used for anonymizing cybercriminal activity and relaying malicious traffic. Many infected devices were in residential and small business environments, highlighting ongoing risks from unpatched and unsupported systems. The operation disrupted criminal anonymity services and is a wake-up call for improved IoT security hygiene.
  Read full article: Thehackernews

Security Setbacks of the Week

This week showcased a range of high-impact cyberattacks and vulnerabilities. The reappearance of Inferno Drainer and the Luna Moth phishing campaign highlights the persistent threat of sophisticated social engineering targeting individuals and enterprises alike. Meanwhile, the Rhysida ransomware gang’s breach of a national government underscores the ongoing risk posed to state institutions in developing regions. Finally, a zero-click UDP flaw in Windows Deployment Services marks a serious concern for IT teams relying on automated systems. Together, these setbacks reveal a cyber landscape where both social and technical attack vectors are rapidly evolving and converging.

• Inferno Drainer Returns, Stealing Millions via Crypto Phishing
  Inferno Drainer, a notorious crypto wallet-draining malware-as-a-service, is active again. It’s being used in large-scale phishing campaigns tricking victims into fake airdrops and NFT giveaways. With support for over 100 wallet brands and enhanced obfuscation techniques, this campaign has already netted millions in stolen funds.
  Read full article: Infosecurity

• Luna Moth Phishing Campaign Masquerades as IT Helpdesk
  The Luna Moth group is impersonating internal IT support teams in U.S.-based firms to trick users into installing remote access tools. These social engineering attacks leverage urgency, such as fake software issues, to breach corporate networks and steal data. The attackers are using fake domains resembling internal support addresses.
  Read full article: Technijian

• Rhysida Ransomware Gang Breaches Peruvian Government
  Rhysida ransomware operators have claimed responsibility for a cyberattack on Peru’s government. They have exfiltrated sensitive documents and are demanding ransom to prevent a leak. This event reflects a growing pattern of politically disruptive ransomware targeting public infrastructure in Latin America.
  Read full article: Security Affairs

• Play Ransomware Uses Zero-Day for Domain-Wide Access
  The Play ransomware gang is exploiting a zero-day vulnerability to gain full domain admin privileges across targeted networks. The attackers bypass authentication and security monitoring, often moving laterally with stealth. This makes the campaign especially dangerous for organizations with unpatched environments.
  Read full article: Security.com

• CISA Flags Langflow Vulnerability for Active Exploitation
  CISA issued an urgent alert for a Langflow vulnerability being actively exploited in the wild. This Python-based platform is used to build LLM-powered apps, and the flaw allows unauthenticated remote code execution. A patch has been released, and users are urged to upgrade immediately.
  Read full article: GBHackers

• Windows Deployment Services Vulnerable to 0-Click UDP Exploit
  Microsoft’s Windows Deployment Services (WDS) suffers from a zero-click remote code execution flaw via UDP packets. No user interaction or credentials are required, making it highly exploitable across enterprise environments. Microsoft is investigating, but no official patch has been released.
  Read full article: GBHackers

The New Emerging Threats

From state-sponsored espionage to advanced phishing kits, this week’s cyber landscape is boiling with activity. COLDRIVER unleashes its stealthy LOSTKEYS malware targeting Western institutions, while Agenda ransomware upgrades its toolkit with NETXLOADER and SmokeLoader. Meanwhile, Inferno Drainer resurfaces to loot crypto wallets, and phishing attacks like CoGUI and Luna Moth are bombarding inboxes with slick deception. OtterCookie v4 also emerges, aiming for Chrome and MetaMask users 5/12/2025 – 5/12/2025 with upgraded stealth.

• COLDRIVER Deploys New Malware “LOSTKEYS” in Espionage Campaigns
  Russia-linked APT COLDRIVER is back, deploying a newly discovered malware dubbed LOSTKEYS. This threat actor is actively targeting Western government entities and NGOs to exfiltrate sensitive documents. The malware disguises itself within malicious PDF lures and uses clever phishing tactics to bypass user defenses. Google’s Threat Analysis Group warns of continued campaigns in 2025, urging heightened vigilance.
  Read full article: Cloud Google

• Agenda Ransomware Gang Enhances Arsenal with NETXLOADER and SmokeLoader
  The Agenda ransomware group has ramped up its attack toolkit by integrating NETXLOADER, a stealthy new loader designed for persistent malware delivery. Coupled with the seasoned SmokeLoader, these tools make Agenda’s operations harder to detect and mitigate. Security experts emphasize the loaders’ modularity and sandbox evasion capabilities as a rising concern.
  Read full article: Broadcom

• CoGUI Phishing Kit Targets Japan with Millions of Emails
  A new phishing kit called CoGUI is bombarding users in Japan with millions of messages. The kit’s sophistication lies in its ability to evade detection and mimic legitimate login pages. Proofpoint reports that this wave is aimed at harvesting credentials from users of popular Japanese web services.
  Read full article: Proofpoint

• OtterCookie v4 Malware Evolves to Target Chrome, MetaMask Users
  OtterCookie v4, a malware variant focused on stealing credentials from Chrome and MetaMask, has gained advanced detection evasion features. It now includes virtual machine detection and dynamic anti-analysis techniques, making it difficult to analyze and stop. Its main targets are users managing digital assets or crypto wallets.
  Read full article: Thehackernews

In-Depth Expert CTI Analysis

This week’s threat landscape illustrates the convergence of nation-state cyber operations, financially motivated ransomware, and advanced social engineering. From Russia-linked espionage to crypto-draining malware campaigns and the takedown of global criminal infrastructure, the scope and scale of threat activity reinforces the need for continuous vigilance and adaptive defense strategies. Notably, multiple actors are upgrading toolkits with stealthier payloads and exploiting zero-day vulnerabilities to evade traditional defenses.

Proactive Defense and Strategic Foresight

Organizations must shift from reactive postures to intelligence-driven proactive defense by:

• Hunting for threat actor infrastructure leveraging indicators from LockBit, COLDRIVER, and Agenda ransomware activity.
• Implementing threat-informed patching cycles, especially in light of Langflow and WDS 0-click vulnerabilities.
• Enhancing deception capabilities (e.g., honeypots) to slow lateral movement during intrusion attempts.
• Preparing playbooks for zero-day exploitation scenarios and prioritizing remote code execution vulnerabilities in cloud-facing assets.

Evolving Ransomware and Malware Tactics

Ransomware groups are evolving rapidly in delivery, persistence, and stealth:

• Play ransomware demonstrates the use of zero-day exploits for domain-wide compromise—organizations with domain controller exposure must act quickly.
• Agenda ransomware’s adoption of NETXLOADER and SmokeLoader reveals a preference for modularity and sandbox evasion, increasing dwell time.
• OtterCookie v4 and Inferno Drainer signal an alarming trend: malware targeting individual asset holders (e.g., crypto wallet users) is becoming as sophisticated as APT-grade malware.

State-Sponsored and Organized Cybercrime Convergence

The week marked significant activity from both nation-states and criminal cartels:

• Russia’s COLDRIVER APT is continuing high-value espionage, weaponizing tailored phishing PDFs embedded with LOSTKEYS malware.
• The Pentagon’s offensive cyber ops reveal a new U.S. doctrine: using cyber to disrupt transnational crime and enhance physical border security.
• The overlap of criminal and state tactics is evident—cybercrime-as-a-service platforms like LockBit now exhibit operational security and affiliate models similar to traditional APTs.

Operational and Tactical Implications

The following implications are critical for SOC and CTI teams:

• Phishing simulation training must now cover IT impersonation scenarios (Luna Moth) and region-specific lures (e.g., CoGUI in Japan).
• Zero-click vulnerabilities need preemptive detection strategies, such as network segmentation and behavior-based anomaly detection.
• IoT and EoL device risks are not theoretical: botnets built on these systems (as in the 7,000-device proxy botnet case) are operational and undermining anonymity boundaries.

Forward-Looking Recommendations

Security leaders should prioritize the following:

• Patch Management: Immediately apply updates related to Langflow and isolate Windows Deployment Services where unpatched.
• CTI Integration: Feed recent IoCs from LockBit leaks and Rhysida ops into threat detection platforms.
• User Awareness: Launch campaigns to educate users about airdrop/NFT phishing scams and internal IT spoofing.
• IoT Audits: Conduct inventories of IoT/EoL assets and remove or isolate unpatchable systems.
• Cross-sector Collaboration: Follow CISA, Europol, and US-CERT updates to align with international disruption efforts.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite