VerSprite Weekly Threat Intelligence #12
Date
Follow Us
Date Range: 28 April 2025 – 02 2025
Issue: 12th Edition
Security Triumphs of the Week
From takedowns to guilty pleas, this week delivered major wins for the good guys. The infamous BreachForums was forced offline after a MyBB 0-day exploit shook its foundations. Authorities smashed the JokerOTP phishing ring, ending 28,000+ scams and arresting two key players. Meanwhile, Disney’s Slack hacker ‘NullBulge’ pleaded guilty, facing justice at last. And to top it off, the RansomHub ransomware gang vanished from the dark web.
BreachForums Shuts Down After MyBB 0-Day Exploited
In a significant win for cybersecurity, the infamous hacking forum BreachForums has been taken offline after threat actors exploited a critical zero-day vulnerability in MyBB, the forum software it relied on. This takedown not only disrupted the platform but also exposed internal data, leading to mass leaks and a loss of trust within the cybercriminal community. The shutdown marks a major blow to data brokers and threat actors who frequented the forum to trade stolen credentials and tools.
Read full article: cybersecuritynews.com
JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested
Authorities successfully dismantled the JokerOTP phishing operation responsible for over 28,000 attacks targeting banking and online service users. The operation was taken down through coordinated international efforts, resulting in two key arrests and the seizure of critical infrastructure.
Read full article: bitdefender.com
Hacker ‘NullBulge’ Pleads Guilty to Stealing Disney’s Slack Data
The individual behind the 2022 breach of Disney’s internal Slack channels, known online as “NullBulge,” has pleaded guilty in U.S. federal court. This guilty plea represents a step forward in prosecuting high-profile corporate cyber intrusions and may act as a deterrent for future would-be attackers.
Read full article: variety.com
Prolific RansomHub Operation Goes Dark
The RansomHub group, known for a surge of extortion-driven ransomware attacks, has suddenly ceased operations. While the reason for their disappearance remains unclear, security experts believe it could be due to internal conflict or fear of impending law enforcement action. Either way, their sudden exit means fewer ransomware incidents — at least temporarily — and relief for potential targets.
Read full article: darkreading.com
Security Setbacks of the Week
Global spyware abuse, critical service disruptions, and persistent cloud and credential-based threats dominated this week’s setbacks. Apple’s mass notification revealed widespread mercenary spyware targeting across 92 countries. UK retailers faced disruptive attacks, while the Dutch government struggled against DDoS waves. Meanwhile, developer secrets remain exposed, Storm-1977 ramped up cloud intrusions using OAuth abuse – underscoring the evolving threat landscape.
Apple Notifies Spyware Victims in 92 Countries
Apple alerted users in 92 countries that they were targeted in mercenary spyware campaigns, likely via zero-click vulnerabilities. The unprecedented scale of this operation indicates the growing threat of commercial surveillance tools used by state-affiliated actors.
Read full article: The Record
Cyberattacks Disrupt Harrods, Co-op, and Marks & Spencer
UK retail giants Harrods, Co-op, and Marks & Spencer suffered separate cyber incidents affecting customer-facing systems and backend operations. These disruptions underscore the fragility of digital supply chains and the retail sector’s exposure to threat actors.
Read full article: SecurityWeek
Storm-1977 Exploits OAuth in Education Sector Attacks
Storm-1977 abused Microsoft OAuth mechanisms by deploying rogue Azure applications to gain persistent access to academic cloud environments. The attackers exfiltrated data via these apps, leveraging trusted cloud permissions to bypass detection.
Read full article: The Hacker News
Developer Secrets Abused in New Credential Harvesting Campaigns
Attackers continue to exploit exposed API keys, tokens, and other secrets in public code repositories and CI/CD pipelines. This trend highlights poor developer hygiene and opens enterprise environments to lateral movement and infrastructure compromise.
Read full article: Dark Reading
The New Emerging Threats
Cyber adversaries are upping their game this week. Hive0117 resurfaces with a stealthy DarkWatchman variant, while malicious PyPI packages exploit Gmail and WebSockets to hijack systems. The Earth Kasha APT launched a new wave of ANEL backdoor attacks targeting Asian sectors. Meanwhile, ToyMaker emerges as a dangerous initial access broker, and new WordPress malware hides in plain sight as a plugin.
Hive0117 Deploying New DarkWatchman Variant
A newly observed phishing campaign by threat group Hive0117 is leveraging an evolved version of the DarkWatchman malware to target Russian organizations. This variant uses advanced anti-analysis techniques and fileless persistence to evade detection, indicating the group’s rising sophistication. The campaign mimics routine communication formats, increasing the likelihood of successful compromise.
Read full article: infosecurity-magazine.com
Malicious PyPI Packages Abuse Gmail, Websockets to Hijack Systems
Researchers have uncovered multiple malicious Python packages on PyPI that exploit Gmail and WebSocket connections to exfiltrate data and remotely control infected systems. These packages masquerade as legitimate tools, targeting developers and software environments. This technique bypasses traditional detection methods and showcases the growing abuse of public development platforms.
Read full article: bleepingcomputer.com
Earth Kasha’s New ANEL Backdoor Campaign
The Earth Kasha APT group is back with a revamped version of its ANEL backdoor, now deployed using stealthier TTPs and targeting defense and tech sectors in Asia. The campaign involves spear-phishing and custom malware loaders, designed to establish long-term access. Researchers warn the toolset suggests high operational maturity and intent to persist.
Read full article: trendmicro.com
ToyMaker – Initial Access Broker Using LAGTOY Malware
A new player on the cybercrime scene, dubbed ToyMaker, is using LAGTOY malware to gain initial access to enterprise environments and sell it to ransomware affiliates. ToyMaker employs social engineering and weaponized documents, making them a serious enabler in the ransomware ecosystem. Their emergence signals increasing fragmentation and specialization in the underground economy.
Read full article: thehackernews.com
A stealthy malware campaign targeting WordPress sites has emerged, disguising itself as a legitimate plugin. Once installed, it provides backdoor access to attackers and can inject malicious scripts, redirect traffic, or harvest data. The malware’s modular structure and ease of deployment pose a significant risk to poorly secured websites.
Read full article: infosecurity-magazine.com
In-Depth Expert CTI Analysis
This week demonstrated a dynamic threat environment, balancing significant law enforcement wins with sophisticated new attack vectors. While authorities disrupted major criminal infrastructures, adversaries adapted with stealthy malware, OAuth abuse, and supply chain targeting.
Proactive Defense and Strategic Foresight
The takedown of BreachForums and the JokerOTP phishing ring highlights the increasing reach and effectiveness of coordinated cybercrime disruption efforts. These events send a clear message but may also trigger retaliation or regrouping by displaced threat actors.
Track threat actor migration across forums and communication platforms.
Monitor for rebranding of closed operations and follow-on attacks targeting law enforcement or researchers.
Evolving Ransomware and Malware Tactics
Groups like Hive0117 are refining malware like DarkWatchman for stealth and persistence, while ToyMaker acts as a broker, selling enterprise access. PyPI abuse further exposes the fragility of open-source ecosystems.
Enhance detection for fileless and LOLBin-based persistence techniques.
Audit developer environments for malicious packages and unauthorized dependencies.
State-Sponsored and Organized Cybercrime Convergence
Nation-aligned threats remain active and advanced. Apple’s notification campaign revealed global spyware targeting. Meanwhile, Storm-1977 and Earth Kasha continue to innovate in cloud and phishing-based APT operations.
Restrict OAuth permissions and implement tighter controls on cloud app integrations.
Train users in sectors like education, defense, and government to recognize sophisticated spear-phishing attempts.
Operational and Tactical Implications
Credential exposure and plugin-based malware remain common but highly effective. DDoS attacks disrupted Dutch government services, while insecure WordPress plugins and secrets in code repositories continue to provide easy access points.
Regularly scan CI/CD and public code for API key or token leaks.
Lock down CMS platforms with plugin allowlists and file integrity monitoring.
SOC teams must defend hybrid, multi-cloud, and endpoint environments simultaneously, demanding integrated, threat-informed defensive models.
Forward-Looking Recommendations
Defenders should prepare for quieter, more modular attacks delivered through trusted channels. The convergence of state-aligned espionage, ransomware infrastructure, and access brokers requires layered defense and proactive hunting.
Audit cloud and identity configurations, especially OAuth and API tokens.
Harden DevSecOps workflows and verify integrity of public packages.
Monitor dark web activity for signs of regrouping or rebranding by disrupted threat groups.
Educate developers on secure coding and credential handling.
Prepare SMBs and public service orgs for common attack patterns like plugin abuse and DDoS.
