HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 07 April 2025 – 11 April 2025

Issue: 9th Edition

Security Triumphs of the Week

This week showcased major victories for cyber defenders worldwide. ASEAN nations are stepping up, weaving AI and Zero Trust into national strategies to future-proof cyber defense. Meanwhile, Malaysia and Thailand’s central banks are teaming up to harden cross-border financial systems—proof that cybersecurity knows no borders. In an ironic twist, the Everest ransomware gang got hacked, with their own leak site defaced in a symbolic slapdown. On the global front, law enforcement crushed the long-standing Smokeloader botnet, striking a major blow to malware operations. Microsoft supercharged Outlook with AI-powered email security, and the EU unveiled its “AI Continent” vision, blending innovation with ethics and trust. Even Ukraine bounced back strong—restoring half of its railway IT systems after a major cyberattack.

ASEAN Nations Embrace AI and Zero Trust for Cyber Defense
Southeast Asian countries, including Singapore, Malaysia, and Indonesia, are proactively integrating AI and Zero Trust security architectures into their national cybersecurity strategies. These efforts aim to improve threat response, enhance visibility across networks, and automate defense mechanisms. The shift underscores the region’s growing prioritization of cyber resilience amid digital transformation across public and private sectors.
Read full article: The Cyber Express

Malaysia and Thailand Strengthen Cybersecurity Collaboration
The central banks of Malaysia and Thailand have formalized a bilateral agreement to reinforce cybersecurity in the financial sector. This partnership aims to share threat intelligence, improve resilience of cross-border digital payments, and jointly address emerging risks. The initiative reflects a growing trend of regional cooperation to defend against increasingly sophisticated financial cyber threats.
Read full article: The Edge Malaysia

Everest Ransomware Gang’s Leak Site Compromised
Hackers have successfully defaced the dark web leak site operated by the Everest ransomware gang in a rare and symbolic counterattack. This action disrupted the group’s operations and exposed weaknesses in its infrastructure. Such retaliation, likely from vigilante actors or rivals, highlights the growing pushback against ransomware operators from both official and unofficial channels.
Read full article: SecureBlink

Global Operation Takes Down Smoke Loader Botnet Servers
Law enforcement agencies executed a coordinated takedown of the Smokeloader botnet’s infrastructure, disrupting one of the longest-running malware distribution platforms. This botnet was widely used to deliver banking Trojans and info-stealers. The successful operation marks a significant blow to cybercriminal operations and highlights the effectiveness of global cooperation in combating botnets.
Read full article: Bitdefender

Microsoft Reinforces Outlook Security with New AI Protections
Microsoft has enhanced Outlook’s email protection ecosystem with advanced AI-powered defenses against phishing, spam, and spoofing. These new features offer better sender verification and improve the user experience with smarter filtering. The update is part of Microsoft’s broader commitment to securing communication platforms across its consumer and enterprise environments.
Read full article: Cybersecurity News

EU Launches “AI Continent” Plan to Lead Ethical Innovation
The European Commission announced a strategic initiative to strengthen Europe’s leadership in artificial intelligence while ensuring cybersecurity, trust, and ethics remain at its core. The plan includes cross-border AI infrastructure, workforce development, and security-enhanced innovation. It positions the EU as a global frontrunner in responsible AI deployment.
Read full article: European Commission

Ukraine Restores 50% of Rail IT Systems Post-Cyberattack
Following a significant cyberattack in late March, Ukraine’s national railway has successfully restored about half of its impacted IT services. Despite service disruptions, the quick recovery illustrates strong incident response capabilities and technical resilience in critical infrastructure under wartime conditions.
Read full article: Reuters

Security Setbacks of the Week

This Week in Cyber Chaos: A Storm of Breaches and Ransom Demands From healthcare to higher education, cybercriminals wreaked havoc across sectors this week. The Medusa gang slammed NASCAR with a $4M ransomware threat, while 1.6 million health records were exposed in a major breach at LSC. Morocco’s social security system and the Port of Seattle also fell victim, impacting thousands. Meanwhile, these incidents highlight the urgent need for stronger defenses as threat actors expand their reach.

Laboratory Services Cooperative Breach Exposes Health Data of 1.6 million
Laboratory Services Cooperative (LSC) confirmed a significant data breach caused by stolen login credentials. The attackers accessed highly sensitive personal and health-related data of 1.6 million individuals. The incident highlights the continued targeting of healthcare sectors and the critical need for multi-factor authentication and monitoring.
Read full article: Securityaffairs

Medusa Ransomware Targets NASCAR in High-Stakes Attack
The Port of Seattle disclosed a ransomware attack that exposed data belonging to approximately 90,000 individuals. While operations were reportedly not affected, the breach involved personally identifiable information, prompting an investigation and potential notification to impacted individuals.
Read full article: Cyberdaily

Ransomware Disrupts Port of Seattle, compromising 90,000 Records
Ukraine’s CERT-UA has revealed a new wave of cyberattacks targeting its armed forces. The campaign involves phishing lures leading to remote access malware deployment and aims to exfiltrate battlefield-relevant data—likely part of larger state-sponsored espionage operations.
Read full article: Securityweek

Morocco’s Social Security System Breached by Hackers
Hackers successfully infiltrated Morocco’s national social security system, compromising a large volume of sensitive citizen data. The breach has sparked concerns about the robustness of government cybersecurity defenses, particularly in critical infrastructure and identity systems.
Read full article: Securityweek

Check Point March Report Highlights Global Spike in Malware
Check Point’s latest threat intelligence bulletin reveals a notable uptick in ransomware incidents and supply chain breaches, impacting sectors such as legal, transportation, healthcare, and logistics.
- The Port of Seattle disclosed a 2024 ransomware attack attributed to the Rhysida group, compromising personal data of approximately 90,000 individuals, including names, dates of birth, Social Security numbers, and medical information.
- Britain’s Royal Mail was affected by a data breach through its supplier Spectos, exposing 144GB of data, including personal information such as names, addresses, and package details.
- Europcar Mobility Group confirmed a cyber-attack compromising its GitLab repositories, resulting in the theft of source code and SQL backups, affecting between 50,000 to 200,000 clients.
- Two high-severity vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in Cisco Smart Licensing Utility are being exploited in the wild, allowing attackers to gain full administrative privileges and expose API credentials.
- A buffer overflow flaw (CVE-2025-22457) in Ivanti Connect Secure VPN appliances is under active exploitation, posing significant risks to affected systems.
These incidents underscore the evolving threat landscape and the importance of robust cybersecurity measures across all sectors.
Read full article: Seqrite

The New Emerging Threats

This week saw a surge in stealthy and sophisticated cyber threats aimed at users and developers alike. LegionLoader is making waves by sneaking through fake CAPTCHAs, while the infamous E-ZPass phishing scam returns in full force, tricking users with fake toll payment alerts. South Korean users are being targeted by ViperSoftX malware, hiding in cracked software and dropping potent RATs. Developers aren’t safe either—malicious VSCode extensions with over a million installs are silently mining crypto in the background. And finally, Neptune RAT is prowling through YouTube and GitHub, giving attackers full control of infected systems.

LegionLoader Malware via Fake CAPTCHAs
A sophisticated campaign is delivering LegionLoader malware through deceptive PDF documents that mimic CAPTCHA checks using Cloudflare Turnstile. Once the user interacts, a malicious script is executed, leading to data theft via fake browser extensions and sideloaded malware. Target sectors include tech and financial services across multiple continents.
Read full article: CyberPress

E-ZPass Phishing Scam Resurfaces
A large-scale SMS phishing campaign is impersonating toll agencies like E-ZPass, tricking users into clicking fake payment links. Victims are directed to phishing sites that steal credit card and personal information. The FBI has issued warnings, urging the public to verify toll-related messages through official platforms.
Read full article: BleepingComputer

ViperSoftX Malware Campaign in Korea
A new wave of the ViperSoftX malware is spreading via cracked software and torrents in South Korea. The attack drops obfuscated PowerShell and VBS scripts, installs PureCrypter, and connects to C2 servers for Quasar RAT deployment. It bypasses Windows Defender and enables data theft.
Read full article: CyberPress

Malicious VS Code Extensions Dropping Cryptominers
Cybercriminals have published Visual Studio Code extensions that secretly drop XMRig cryptominers. These malicious tools—disguised as development utilities—have over 1 million downloads. Once installed, they disable security tools and execute hidden mining operations, affecting system performance and integrity.
Read full article: CyberPress

Neptune RAT Spreading via YouTube and GitHub
Neptune RAT is actively spreading through malicious downloads shared on YouTube, GitHub, and Telegram. The malware disguises itself as legitimate software and provides attackers with full remote access to infected systems. It is capable of data exfiltration, surveillance, and system manipulation.
Read full article: Deccan Herald

In-Depth Expert CTI Analysis

The Summary

The cybersecurity threat landscape this week highlights a sharp contrast between positive strides in defensive strategy and a surge in advanced threat actor activities. Organizations made significant progress in AI-driven defenses and multilateral collaborations, while ransomware groups, phishing operators, and nation-state attackers expanded their footprint across healthcare, infrastructure, and open-source ecosystems. The evolution of malware delivery and credential-theft techniques continues to test even well-fortified environments.

Proactive Defense and Strategic Foresight

A number of developments stood out this week as proactive defenses gained traction:

The cybersecurity alliance between Malaysian and Thai central banks showcases a growing focus on regional collaboration, especially in the financial sector.

The EU’s launch of the “AI Continent” initiative reflects global ambition to embed security into AI innovation.

Microsoft’s AI-enhanced Outlook security represents a milestone in private-sector defense integration, offering better detection of phishing and spoofing.

Ukraine’s recovery of 50% of rail IT systems post-cyberattack also exemplifies strong incident response under duress.

Evolving Ransomware and Malware Tactics

This week’s threat activity reveals how ransomware and malware campaigns are evolving both technically and tactically.

Medusa’s ransomware attack on NASCAR signifies a shift toward targeting high-profile, non-traditional sectors.

LegionLoader utilized fake CAPTCHAs and sideloading to deliver payloads via deceptive PDFs

ViperSoftX in South Korea employed cracked software and advanced obfuscation to evade detection.

Malicious VSCode extensions, with over a million installs, are being used to drop XMRig cryptominers—highlighting how open-source tools are becoming a key delivery vector.

Neptune RAT spreads via YouTube, GitHub, and Telegram, showcasing cross-platform malware propagation.

Recommendations:

Enhance sandboxing and behavior analysis for PDF and installer files.

Deploy EDR solutions capable of flagging abuse of developer tools and IDE plugins.

Monitor outbound connections to detect C2 communications tied to stealthy implants and loaders.

State-Sponsored and Organized Cybercrime Convergence

State and cybercriminal tactics are becoming increasingly intertwined.

Storm-2372, linked to Russian state interests, utilized MFA bypass through device-code phishing—demonstrating nation-state caliber methods repurposed for mass exploitation.

Morocco’s social security breach and attacks on Royal Mail and the Port of Seattle further illustrate how cybercriminals are capable of targeting infrastructure at scale.

RansomHub’s ransomware attack on a tribal community in the U.S. reinforces the trend of multi-domain disruption, combining criminal motive with infrastructure targeting.

Key implications:

Government agencies and critical infrastructure operators should anticipate TTP overlap between espionage and criminal syndicates.

Traditional vertical-specific security postures may be insufficient—cross-domain defense readiness is required.

Operational and Tactical Implications

Security operations centers (SOCs) are facing increased pressure to respond to active exploitation of critical vulnerabilities.

Cisco Smart Licensing (CVE-2024-20439/20440) and Ivanti VPN (CVE-2025-22457) flaws are being actively exploited in the wild, enabling attackers to escalate privileges or pivot laterally. Phishing tactics also became more dynamic.