Cyber Threat Intelligence 19 May 2025

NCSA_THAICERT

Healthcare Sector

Healthcare Cyber-Attacks Intensify, Sector Now Prime Target
"Cyber-attacks targeting healthcare have “noticeably increased” in intensity, with the sector suffering more incidents than other key industries in 2024, according to new data from Darktrace. The cybersecurity vendor revealed it responded to 45 cybersecurity incidents impacting healthcare organizations last year. This was higher than finance (37), energy (22), insurance (14) and telecoms (12)."
https://www.infosecurity-magazine.com/news/healthcare-cyber-attacks-intensify/
https://www.darktrace.com/resources/state-of-cyber-uk-us-brazil-healthcare-2025

Malware

Printer Company Provided Infected Software Downloads For Half a Year
"When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth."
https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads
https://www.bleepingcomputer.com/news/security/printer-maker-procolored-offered-malware-laced-drivers-for-months/
Ransomware Gangs Increasingly Use Skitnet Post-Exploitation Malware
"Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus. The malware promoted on underground forums"
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
https://catalyst.prodaft.com/public/report/skitnet/overview
FDD Uncovers Likely Chinese Intelligence Operation Targeting Recently Laid-Off U.S. Government Employees
"Chinese intelligence moved quickly to take advantage of the mass layoffs of federal workers that began right after the Trump administration took office. On Craigslist.org, a post advertising “Job Opportunities for Recently Laid-Off U.S. Government Employees” appeared on February 6 on the website’s Washington, DC, jobs board.1 The post links to the website of what is supposedly a consulting services company located in Singapore.2 Yet peering beneath the surface reveals that this company is part of a broader network of websites, LinkedIn pages, and job advertisements that appear to be a Chinese intelligence operation."
https://www.fdd.org/analysis/2025/05/16/fdd-uncovers-likely-chinese-intelligence-operation-targeting-recently-laid-off-u-s-government-employees/
https://www.bankinfosecurity.com/former-us-govt-employees-targeted-by-chinese-intelligence-a-28425
https://www.theregister.com/2025/05/16/attn_fired_us_govt_workers/
Ransomware Roundup – VanHelsing
"FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the VanHelsing ransomware."
https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing
Backdoor Implant Discovered On PyPI Posing As Debugging Utility
"Threat actors have all kinds of motivations for targeting open-source software (OSS) repositories like the Python Package Index (PyPI). Financial gain is one of them. As ReversingLabs (RL) 2025 Software Supply Chain Security Report noted, there were close to two dozen software supply chain campaigns in 2024 alone that targeted developers working on cryptocurrency applications. But financial gain is just one motivation. Geopolitical tensions and political activism are another, as can be seen in a new malicious campaign that RL researchers detected on the PyPI this week, which may be linked to a threat actor that works in support of Ukraine since the Russian invasion of that country in 2022."
https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility
https://hackread.com/ukraine-group-russian-developers-python-backdoor/
High Risk Warning For Windows Ecosystem: New Botnet Family HTTPBot Is Expanding
"In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets."
https://nsfocusglobal.com/high-risk-warning-for-windows-ecosystem-new-botnet-family-httpbot-is-expanding/
https://thehackernews.com/2025/05/new-httpbot-botnet-launches-200.html
https://securityaffairs.com/177930/malware/new-botnet-httpbot-targets-gaming-and-tech-industries-with-surgical-attacks.html
New 'Defendnot' Tool Tricks Windows Into Disabling Microsoft Defender
"A new tool called 'Defendnot' can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed. The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device. When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device."
https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/
Cl0p Ransomware: The Skeezy Invader That Bites While You Sleep
"Cl0p ransomware is a private ransomware operation run by an organized cybercrime group known as TA505. The Cl0p operation is just one of several units of the TA505 criminal enterprise, and it is thought to be the most profitable. Since its emergence in 2019, Cl0p has extorted over $500 million in ransom payments and has directly affected thousands of organizations and tens of millions of individuals globally. In the final quarter of 2024, Cl0p outpaced Akira and overtook RansomHub to become the most active ransomware group in the landscape. In the first quarter of 2025, Cl0p surpassed LockBit as the most prolific ransomware group, based on publicly disclosed breaches."
https://blog.barracuda.com/2025/05/16/cl0p-ransomware--the-skeezy-invader-that-bites-while-you-sleep
DBatLoader (ModiLoader) Being Distributed To Turkish Users
"Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being distributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their transaction history."
https://asec.ahnlab.com/en/88025/
Etherhide Technique Using Blockchain As C&C Infrastructure
"Threat actors have been utilizing various techniques and channels to evade tracking and blocking of their Command and Control (C&C) infrastructures. For example, they use Fast-Flux to rapidly change IP addresses and maintain domains, Bulletproof Hosting to use infrastructures located in countries where legal measures are difficult, and public platforms such as Telegram, Pastebin, and Twitter. Recently, there have been cases of threat actors utilizing the anonymity and censorship resistance of blockchain technology. This post will examine Etherhide, a technique that uses smart contracts as C&C infrastructures, and introduce cases of its abuse."
https://asec.ahnlab.com/en/88009/

Breaches/Hacks/Leaks

Agentic AI Tech Firm Says Health Data Leak Affects 483,000
"Serviceaide, a provider of agentic artificial intelligence-based IT management and workflow software, reported to regulators that an inadvertent exposure of data on the web has affected more than 483,000 patients of client Catholic Health, a network of six hospitals and dozens of other facilities in western New York. California-based Serviceaide reported the incident as an unauthorized access/disclosure breach to the U.S. Department of Health and Human Services on May 9. As of Friday, several class action law firms had already issued public notices saying they are investigating the breach for potential lawsuits."
https://www.bankinfosecurity.com/agentic-ai-tech-firm-says-health-data-leak-affects-483000-a-28424
Russian Hospital Faces Multi-Day Shutdown As Pro-Ukraine Group Claims Cyberattack
"A private hospital in the Russian republic of Chuvashia experienced a multi-day disruption this week likely linked to a cyberattack claimed by a pro-Ukraine hacker group. On Tuesday, Lecardo Clinic announced a "technical failure" that led to a three-day shutdown of its operations. "We're doing everything we can to restore our operations, but it's taking longer than expected,” they said. “Once our software is fully restored, we'll notify you.""
https://therecord.media/russia-hospital-shutdown-lecardo
Broadcom Employee Data Stolen By Ransomware Crooks Following Hit On Payroll Provider
"A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned. It's understood Broadcom's HR department has begun the process of informing current and former staff who are affected by the September ransomware attack at Business Systems House (BSH). Broadcom no longer uses ADP or by extension BSH for payroll in the Middle East, the internal email confirmed, and at the time of the incident the company was in the process of switching payroll providers."
https://www.theregister.com/2025/05/16/broadcom_employee_data_stolen_by/

General News

Cyble Detects 200 Billion Files Exposed In Cloud Buckets
"Cyble’s ODIN vulnerability search tool has detected more than 200 billion exposed files in cloud buckets across seven major cloud providers. The 200 billion exposed files reflect the sheer scale of accidental data exposure on the internet, data that’s often left publicly accessible due to misconfigurations. The files include data ranging from documents and credentials to source code and internal backups. The ODIN platform scans cloud buckets at scale and classifies exposed content using machine learning-based detection. ODIN has also detected more than 660,000 exposed buckets, in addition to more than 91 million exposed hosts. Cyble monitors and classifies these datasets to help organizations reduce their attack surface."
https://cyble.com/blog/detects-200-billion-files-exposed-in-cloud-buckets/
Deepfake Attacks Could Cost You More Than Money
"In this Help Net Security interview, Camellia Chan, CEO at X-PHY, discusses the dangers of deepfakes in real-world incidents, including their use in financial fraud and political disinformation. She explains AI-driven defense strategies and recommends updating incident response plans and internal policies, integrating detection tools, and ensuring compliance with regulations like the EU’s DORA to mitigate liability."
https://www.helpnetsecurity.com/2025/05/16/camellia-chan-x-phy-defending-against-deepfakes/
Cybersecurity Skills Framework Connects The Dots Between IT Job Roles And The Practical Skills Needed
"The Linux Foundation, in collaboration with OpenSSF and Linux Foundation Education, has released the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families. “Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”"
https://www.helpnetsecurity.com/2025/05/16/cybersecurity-skills-framework-linux-foundation/
How Working In a Stressful Environment Affects Cybersecurity
"Stressful work environments don’t just erode morale, they can quietly undermine cybersecurity. When employees feel overworked, unsupported, or mistreated, their judgment and decision-making suffer. “From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates,” said Rob Lee, Chief of Research and Head of Faculty at SANS Institute. According to CyberArk, 65% of office workers admit they’ve bypassed cybersecurity policies to stay productive. Frustration and anger can also drive impulsive behavior, including actions that intentionally or unintentionally put company systems at risk."
https://www.helpnetsecurity.com/2025/05/16/stressful-environment-cybersecurity/
Polymorphic Phishing Attacks Flood Inboxes
"AI is transforming the phishing threat landscape at a pace many security teams are struggling to match, according to Cofense. In 2024, researchers tracked one malicious email every 42 seconds. Many of the 42-second attacks were part of polymorphic phishing attacks. Unlike traditional phishing methods, polymorphic phishing attacks rely on dynamic changes to the appearance and structure of malicious emails or links. Attackers use sophisticated algorithms to alter subject lines, sender addresses, and email content in real time, effectively bypassing static signature-based email filters."
https://www.helpnetsecurity.com/2025/05/16/polymorphic-phishing-attacks-cofense/
Additional 12 Defendants Charged In RICO Conspiracy For Over $263 Million Cryptocurrency Thefts, Money Laundering, Home Break-Ins
"A four-count superseding indictment, unsealed today in U.S. District Court, charges 12 additional people – Americans and foreign nationals – for allegedly participating in a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million. Several were arrested this week in California, while two remain abroad and are believed to be living in Dubai. The superseding indictment and the arrests were announced by U.S. Attorney Jeanine Ferris Pirro, FBI Special Agent in Charge Sean Ryan of the Washington Field Office Criminal and Cyber Division, and Executive Special Agent in Charge Kareem A. Carter of the Internal Revenue Service – Criminal Investigation Washington, D.C. Field Office."
https://www.justice.gov/usao-dc/pr/additional-12-defendants-charged-rico-conspiracy-over-263-million-cryptocurrency-thefts
https://www.bleepingcomputer.com/news/security/us-charges-12-more-suspects-linked-to-230-million-crypto-theft/
https://therecord.media/feds-charge-12-suspects-in-rico-crypto-heist
AI In The Cloud: The Rising Tide Of Security And Privacy Risks
"Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise growing concerns over data security and privacy risks. As enterprises embrace artificial intelligence (AI) to streamline operations and accelerate decision-making, a growing number are turning to cloud-based platforms like Azure OpenAI, AWS Bedrock, and Google Bard. In 2024 alone, over half of organizations adopted AI to build custom applications. While these tools deliver clear productivity gains, they also expose businesses to complex new risks, particularly around data security and privacy."
https://securityaffairs.com/177911/uncategorized/ai-in-the-cloud-the-rising-tide-of-security-and-privacy-risks.html
Key Suspect In $190M Nomad Bridge Exploit Extradited To The United States
"Last week, Israeli authorities — acting on a request from the US Department of Justice (DOJ) — arrested and approved the extradition of an individual suspected of playing a central role in the USD 190 million exploit of Nomad Bridge in August 2022. The arrest marks a milestone in the global effort to hold accountable actors who exploit cross-chain infrastructure for financial crime. TRM Labs is proud to support Nomad and law enforcement partners in combating complex crypto-enabled threats. The suspect, Russian-Israeli dual national Alexander Gurevich, was arrested in Jerusalem by Israeli police working in coordination with the DOJ, the FBI, and Interpol. According to publicly available court filings and law enforcement statements, Morrell allegedly conspired with others to execute the exploit and launder the resulting proceeds through a sophisticated, multi-layered operation involving privacy coins, mixers, and offshore financial entities."
https://www.trmlabs.com/resources/blog/key-suspect-in-190m-nomad-bridge-exploit-extradited-to-the-united-states
https://www.bleepingcomputer.com/news/legal/israel-arrests-new-suspect-behind-nomad-bridge-190m-crypto-hack/
Hackers Exploit VMware ESXi, Microsoft SharePoint Zero-Days At Pwn2Own
"During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit. Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw."
https://www.bleepingcomputer.com/news/security/hackers-exploit-vmware-esxi-microsoft-sharepoint-zero-days-at-pwn2own/
https://securityaffairs.com/177943/hacking/pwn2own-berlin-2025-day-two-researcher-earned-150k-hacking-vmware-esxi.html
https://hackread.com/pwn2own-berlin-2025-windows-11-vmware-firefox-hacked/
LockBit Got Hacked. Again: Uncovering Insights Into The Leaked Data
"LockBit ransomware has been having a rough time over the past year. Following the heavy blow dealt by Operation Cronos, the group attempted a comeback, aiming to reclaim its previous status as one of the dominant players in the ransomware landscape. As LockBit was trying to recover, it hit another bump in the road. It didn’t take long before yet another breach of its infrastructure occurred."
https://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/
https://www.bankinfosecurity.com/lockbit-leaks-reveal-drive-to-recruit-ransomware-newbies-a-28421
Preparing For The Post-Quantum Era: a CIO’s Guide To Securing The Future Of Encryption
"Quantum computing is on the verge of revolutionizing the technology landscape, much like AI did in 2024. By the end of 2025, quantum computing will emerge as a defining force, ushering in a new era filled with both unprecedented opportunities and significant challenges in securing digital assets. While state-of-the-art quantum computers aren’t yet capable of threatening cryptographic systems, predictions suggest the quantum computing threat could become a reality by the early 2030s. This timeline, paired with the steady advancements in this technology over the past few years, signals a rapidly approaching disruption on a global scale and a warning call that any business leader should heed."
https://cyberscoop.com/quantum-computing-cio-pqc-preparation-2025/
How To Develop And Communicate Metrics For CSIRPs
"Security and risk management (SRM) leaders face mounting pressure from executives to ensure that security incidents are managed effectively, minimizing disruptions to enterprise performance and profitability. It's crucial to assess incident response processes in terms of quality, speed, and effort to guide improvements and show business leaders the value of these enhancements, while providing transparency."
https://www.darkreading.com/cybersecurity-operations/develop-communicate-metrics-csirps
From 60 To 4,000: NATO’s Locked Shields Reflects Cyber Defense Growth
"The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, last week hosted the 15th edition of the Locked Shields cyber defense exercise. Roughly 4,000 experts from 41 nations took part in Locked Shields 2025, which is designed to test and improve the preparedness of cybersecurity teams in defending national systems and critical infrastructure through a realistic simulation. While today it is the world’s largest and most complex cyber defense exercise, Locked Shields had humble beginnings."
https://www.securityweek.com/from-60-to-4000-natos-locked-shields-reflects-cyber-defense-growth/
Ex-NSA Bad-Guy Hunter Listened To Scattered Spider's Fake Help-Desk Calls: 'Those Guys Are Good'
"The call came into the help desk at a large US retailer. An employee had been locked out of their corporate accounts. But the caller wasn't actually a company employee. He was a Scattered Spider criminal trying to break into the retailer's systems - and he was really good, according to Jon DiMaggio, a former NSA analyst who now works as a chief security strategist at Analyst1. Scattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV. They've breached big names like MGM and Caesars, and despite arrests, keep evolving. They're tracked by Mandiant as UNC3944, also known as Octo Tempest."
https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
Fast Flux Technique For Concealing Command And Control (C&C) And Evading Detection
"In April 2025, the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory (Fast Flux: A National Security Threat), in which the Fast-Flux Network was again designated as a key threat. Since the technique was first detected in the Storm botnet in 2007, it has been used as a key means to hide and evade the detection of Command and Control (C2) servers in numerous malware campaigns."
https://asec.ahnlab.com/en/88008/
April 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on the distribution of Infostealer malware, including the distribution volume, methods, and disguises, based on the data collected and analyzed in April 2025. The following is a summary of the report."
https://asec.ahnlab.com/en/88062/
April 2025 APT Group Trends
"Since November 2024, the North Korean APT group has been exploiting the vulnerability of South Korean Internet financial security software. Similar attacks have been carried out in the past, and the threat actors have been launching attacks based on their understanding of the South Korean software ecosystem."
https://asec.ahnlab.com/en/88063/

อ้างอิง
Electronic Transactions Development Agency(ETDA)