HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 19 May 2025 – 23 May 2025

Issue: 15th Edition

Security Triumphs of the Week

This week saw a cybercrime crackdown like never before. Europol and Microsoft led a global takedown of the notorious Lumma Stealer, exposing its sprawling criminal network. Law enforcement also seized 300 servers and €3.5M in a massive ransomware sting-Operation Endgame. NIST introduced a new formula to predict which bugs are most likely to be exploited, giving defenders a smarter edge. And the hacker behind the SEC X account breach was finally sentenced, reinforcing that digital misdeed have real-world consequences.

Global Takedown of Lumma Stealer Led by Europol and Microsoft
In a major international operation, Europol, Microsoft, and law enforcement agencies disrupted the operations of Lumma Stealer, one of the world’s most pervasive infostealers. Lumma was responsible for compromising millions of devices globally, stealing credentials, financial data, and sensitive documents. The takedown included infrastructure seizures and arrests across multiple countries. Microsoft’s Digital Crimes Unit played a critical role in tracking and helping dismantle the botnet command-and-control structure.
Read full article: Europol

Lumma Stealer Operation Exposed as Highly Organized Cybercrime Network
Further investigations into Lumma Stealer revealed it operated as a commercial-grade cybercrime enterprise. According to DarkReading, the malware was sold as a service on underground forums and used modular architectures, allowing cybercriminals to tailor attacks. Researchers uncovered how operators profited through illicit sales of access to stolen data, primarily targeting organizations in Europe and North America. The scale and structure of the operation underline the growing sophistication of cybercrime-as-a-service models.
Read full article: Darkreading

NIST Proposes New Metric to Predict Likelihood of Vulnerability Exploitation
The hacker behind the high-profile breach of the SEC’s official X (Twitter) account has been sentenced to prison, marking a victory for accountability in cybercrime. The attacker used SIM-swapping techniques to gain access, sending out a false post that momentarily caused financial market volatility. Federal prosecutors highlighted the serious consequences of digital impersonation and market manipulation. This case reinforces the importance of multi-factor authentication and the legal consequences of social engineering attacks.
Read full article: Darkreading

Hacker Sentenced in SEC X Account Breach Case
Telegram has taken decisive action by blocking two major black-market services operating on its platform. These services, which facilitated illegal sales of data and tools, were warned and forced to shut down. This rare enforcement move shows Telegram responding to growing pressure to curb cybercrime on its app.
Read full article: Vitallaw

Europol Seizes 300 Servers and €3.5M from Ransomware Networks
In another massive international success, Europol has dismantled several ransomware networks under Operation Endgame, seizing over 300 servers and €3.5 million in illicit assets. The operation targeted affiliates and infrastructure used by multiple ransomware families. It involved coordinated raids across multiple jurisdictions, freezing crypto wallets and shutting down backend systems. This demonstrates growing global cooperation against cybercriminal syndicates.
Read full article: Thehackernews

Key Ransomware Actors Charged as Infrastructure Falls in Operation Endgame
Complementing the Europol takedown, several ransomware actors have been formally charged, and key infrastructure components dismantled. Authorities from multiple countries worked together to arrest operators and disrupt services supporting ransomware-as-a-service (RaaS) groups. This sends a strong message that cybercrime infrastructure will be hunted down and dismantled, even across borders. The operation marks one of the most significant efforts to strike at the heart of the ransomware ecosystem to date.
Read full article: Therecord

Security Setbacks of the Week

Cyber attackers are turning up the heat with smarter, stealthier campaigns. A fake KeePass app is now spreading ransomware across ESXi servers, while Skitnet malware is silently enabling ransomware gangs with stealthy access and data theft. In Turkey, DBatLoader is exploiting Excel macros for long-term breaches, and in Kuwait, reused SSH keys have exposed a major phishing infrastructure. Meanwhile, Tycoon2FA phishing is breaking through Microsoft 365’s MFA, and Hazy Hawk is hijacking domains through DNS and cloud misconfigurations.

Financial Sector Targeted by Nitrogen Ransomware
A new ransomware strain dubbed Nitrogen is targeting financial institutions across the U.S., U.K., and Canada. Attackers leverage phishing emails with fake software lures to deploy the payload, compromising internal systems and demanding cryptocurrency ransoms.
Read full article: HackRead

NHS England Confirms Patient Harm from Attacks
The UK’s NHS has officially acknowledged that two cyberattacks targeting its providers caused “clinical harm” to patients. These attacks disrupted lab and diagnostic services, and delayed cancer and emergency treatments – underlining the real-world health consequences of cyber threats.
Read full article: The Record

Cybercriminals Abuse Trusted Google Domains
Threat actors are increasingly leveraging Google’s legitimate services – such as Google Docs, Sites, and Firebase – to host and distribute malicious payloads. These attacks evade traditional filters and trick users with convincing URLs tied to trusted domains.
Read full article: GBHackers

Kettering Health Cyberattack Cripples Systems
Kettering Health, a major healthcare network in Ohio, disclosed that a cyberattack led to widespread operational disruptions, including IT systems downtime and data access issues. The healthcare provider is currently investigating the scope of the breach, though patient care workflows were affected.
Read full article: The Record

CAPTCHA Abuse Campaigns Push Malware
Trend Micro researchers uncovered a campaign in which attackers use fake CAPTCHA challenges to deliver malicious scripts. Victims who interact with these seemingly innocuous prompts unwittingly download malware capable of data theft and remote access.
Read full article: Trend Micro

Nationwide Medical Data Exposure at Serviceaide
A third-party breach affecting Serviceaide, a digital service provider, led to exposure of protected health information (PHI) from multiple U.S. medical entities. Stolen files reportedly include patient IDs, diagnoses, and medical histories – putting thousands at risk.
Read full article: The Record

The New Emerging Threats

From phishing to fake apps, cyber attackers are getting bolder and sneakier. A new DBatLoader campaign is hammering Turkish systems, while SSH key reuse exposed a major phishing wave in Kuwait. Ransomware gangs are now arming themselves with Skitnet, a stealthy malware for remote control and data theft. Meanwhile, a fake KeePass app is delivering ESXi ransomware, and Tycoon2FA phishing is bypassing Microsoft 365’s MFA with alarming ease.

New DBatLoader Malware Campaign Targets Turkey
A newly identified campaign deploying DBatLoader malware is actively targeting organizations in Turkey. The attackers use malicious email attachments-often Excel files with embedded macros-to deliver the payload. Once executed, the malware downloads additional backdoors to enable long-term access and data exfiltration. This campaign demonstrates a continued focus on exploiting email-based vectors and is believed to be linked to financially motivated threat actors.
Read full article: Scworld

SSH Key Reuse Leads to Major Phishing Campaign Exposure in Kuwait
Security researchers uncovered a widespread phishing operation in Kuwait after spotting reused SSH keys across multiple compromised servers. The adversaries behind the campaign leveraged phishing sites to mimic government and financial portals, capturing credentials and delivering malware. The reused SSH keys provided a rare fingerprint, allowing investigators to map the campaign infrastructure. This discovery emphasizes the dangers of poor operational security by attackers-and defenders alike.
Read full article: Certera

Ransomware Gangs Deploy ‘Skitnet’ Malware for Stealthy Access and Theft
A new piece of malware called Skitnet is being used by ransomware groups to enable stealthy data theft and persistent remote access. Skitnet supports command execution, file downloads, and lateral movement, making it an ideal staging tool for ransomware deployment. Its evasive capabilities, including anti-analysis and anti-VM techniques, help it remain undetected in victim environments. The malware is often embedded in phishing documents or delivered through malicious installers.
Read full article: Thehackernews

KeeLoader: Fake KeePass App Delivers ESXi Ransomware
A fake version of the KeePass password manager, dubbed KeeLoader, is being used to install ransomware on VMware ESXi servers. Victims are tricked into downloading a malicious KeePass clone that, once run, drops a loader to deploy the ransomware payload. This campaign targets IT admins and system operators, exploiting their trust in open-source tools. The attack chain emphasizes the need to verify software authenticity and avoid unofficial repositories.
Read full article: Bleepingcomputer

Tycoon2FA Phishing Attack Targets Microsoft 365 Users
A new phishing campaign, Tycoon2FA, is targeting Microsoft 365 users with advanced two-factor authentication bypass tactics. Victims are lured into entering their credentials on a fake Microsoft login page that mimics MFA prompts. Once credentials are entered, attackers use real-time proxies to capture session tokens and bypass MFA protections. This technique is especially dangerous for corporate users relying on Microsoft’s cloud suite for daily operations.
Read full article: Technijian

In-Depth Expert CTI Analysis

This week showcased an unprecedented global clampdown on cybercrime infrastructure. Europol-led operations dismantled major ransomware and infostealer networks, including Lumma Stealer and several RaaS affiliates. On the defense front, NIST proposed a predictive framework for vulnerability exploitation, empowering SOCs with smarter prioritization. At the same time, attackers continued to innovate-bypassing MFA protections, leveraging malware loaders like Skitnet, and embedding ransomware in fake open-source apps. The cybersecurity battlefield is rapidly shifting toward stealth, speed, and scale.

Proactive Defense and Strategic Foresight

The joint takedown of Lumma Stealer and Operation Endgame represents a turning point in international law enforcement collaboration against cybercrime. However, takedowns are temporary disruptions-not deterrents-given the pace at which adversaries rebuild.

Align incident response planning with cross-border attack attribution scenarios.
Incorporate LEV-like predictive scoring to prioritize vulnerabilities beyond CVSS alone.
Continuously map third-party services and their API behavior in critical systems.

Evolving Ransomware and Malware Tactics

Ransomware operators are adopting more evasive loaders and pre-ransom malware like Skitnet to establish persistence before payload detonation. KeeLoader-disguised as KeePass-illustrates a broader trend of trojanized tools targeting infrastructure administrators.

Hunt for uncommon persistence techniques and unauthorized lateral movement tools.
Strengthening controls around software supply chains, especially open-source utilities.
Isolate and monitor privileged endpoints managing hypervisors, ESXi, and cloud infra.

State-Sponsored and Organized Cybercrime Convergence

Lumma Stealer operated as a full-fledged service platform, enabling a wide range of cybercrime operations. The overlap between infostealer infrastructure and ransomware deployment points to tighter coordination between initial access brokers and RaaS groups.

Track behavioral indicators from known stealer families (e.g., browser credential theft, clipbank hijacking).
Monitor underground marketplaces for token sales tied to stolen session cookies.
Review and rotate session-based access for critical services, especially those using federated SSO.

Operational and Tactical Implications

Tycoon2FA’s real-time MFA bypass attacks highlight the fragility of browser-based authentication. Phishing infrastructure exposed via reused SSH keys in Kuwait proves how small OPSEC errors by attackers can create opportunities for defenders.

Enforce phishing-resistant authentication (FIDO2, passkeys) where feasible.
Use SSH key telemetry and certificate logging for anomaly correlation.
Increase scrutiny of domains using dynamic DNS and cloud-resolver hijacking (e.g., “Hazy Hawk” campaign patterns).

Forward-Looking Recommendations

The week’s developments make clear that both cybercriminals and defenders are evolving rapidly. While large-scale takedowns offer momentum, lasting security demands layered controls and aggressive threat modeling.

Simulate stealer-to-ransomware kill chains in purple team exercises.
Prioritize patching based on predicted exploitability, not vendor severity alone.
Monitor for rogue software installers posing as tools like KeePass, Putty, or remote admin agents.