Daily Brief

Threat actors associated with the Qilin ransomware group have utilized a new .NET-based loader called NETXLOADER, significantly impacting cybersecurity with 45 disclosed breaches in early April 2025. NETXLOADER is designed to deploy additional malicious payloads stealthily, including Agenda ransomware and SmokeLoader, and is protected by .NET Reactor 6 to avoid analysis. The increase in Qilin’s activity follows a spike in disclosures on their data leak site, doubling the numbers since February 2025, solidifying their position as a leading ransomware threat. The shutdown of RansomHub, a competing ransomware group, in early April 2025 may have contributed to the influx of affiliates joining Qilin. Trend Micro's analysis indicates that the malware is heavily obfuscated, uses advanced evasion techniques, and requires execution to understand its true nature. The Agenda ransomware, part of Qilin's arsenal, has been observed primarily in sectors like healthcare, technology, and financial services across multiple countries. Attack strategies for deploying NETXLOADER include using valid accounts and phishing, further deploying SmokeLoader which connects with a C2 server to launch Agenda ransomware. The ongoing evolution of the Agenda ransomware includes new features targeting domain networks, storage systems, and VCenter ESXi, demonstrating its versatility and detrimental impact.

The Russian state-supported hacking group ColdRiver has been actively using a new malware, LostKeys, for espionage purposes against Western governments, journalists, and NGOs since early this year. Google’s Threat Intelligence Group identified the LostKeys malware being used in ClickFix social engineering attacks to execute malicious PowerShell scripts on targets' devices. LostKeys is designed to steal specific file types and gather system information, furthering ColdRiver’s espionage capabilities. In December, ColdRiver was definitively linked by the UK and Five Eyes to Russia’s Federal Security Service (FSB), indicating state-backed cyber activities. Other state-backed groups from countries like North Korea, Iran, and additional Russian groups have conducted similar espionage tactics using social engineering. The U.S. State Department has placed sanctions and offered rewards up to $10 million for information leading to the capture or identification of ColdRiver members. ColdRiver has also targeted governmental and defense-industrial sectors in the U.S. and NATO countries, continuing aggressive cyber espionage post-Russia’s invasion of Ukraine.

SonicWall has identified three critical vulnerabilities in their Secure Mobile Access (SMA) appliances, with one being actively exploited. The impacted models include SMA 200, 210, 400, 410, and 500v, with patches available in firmware version 10.2.1.15-81sv or higher. Researchers at Rapid7 discovered these flaws, which could allow attackers to achieve remote code execution as root. Vulnerabilities can be exploited in sequence: first compromising the database to reset admin passwords, then writing to system files, and finally executing code as root. SonicWall advises customers to upgrade their firmware to the fixed release and to check device logs for unauthorized access signs. Additional security recommendations include enabling a web application firewall and multifactor authentication on SMA devices. Recent history shows this is not an isolated issue for SonicWall, with several other high-severity vulnerabilities reported and exploited in the recent past.

61% of security leaders reported experiencing breaches due to misconfigured or failed security controls, despite having an average of 43 cybersecurity tools. Misconfiguration of security tools, rather than lack of tools, contributes significantly to breaches, with a notable incident involving Blue Shield of California leading to a massive data leak. The Gartner® Report emphasizes the gap between the mere presence of security tools and their effective configuration to combat real-world cyber threats. Moving towards true control effectiveness requires a shift in mindset, integrating better teamwork, continuous training, and collaboration across various organizational sectors. Implementation of outcome-driven metrics (ODMs) and protection-level agreements (PLAs) is critical for measuring the actual performance of cybersecurity defenses. Continuous optimization and regular tuning of security controls are necessary to adapt to evolving threats and changing business environments. Organizations need to embed security control optimization into daily operations and align it with broad business risks to effectively mitigate potential cyber threats.

MirrorFace, associated with China's APT10, has escalated cyber attacks on Japanese and Taiwanese government and public entities using ROAMINGMOUSE and updated ANEL malware. Spear-phishing emails, often from compromised legitimate accounts, deliver malware through embedded Microsoft OneDrive URLs, downloading malicious Excel documents and ZIP files. Updated ANEL backdoor can execute Beacon Object Files (BOFs) in-memory, enhancing post-exploitation capabilities. The campaign also potentially uses SharpHide to launch the NOOPDOOR backdoor in secondary attack stages. Attackers employ DNS-over-HTTPS (DoH) to disguise IP address lookups during command-and-control operations. Threat actors examine the victim's environment by obtaining screenshots, analyzing running processes, and gathering domain information. Security experts recommend organizations with high-value assets to adopt proactive security measures and remain vigilant to prevent cyber attacks.

Russian-linked threat actor COLDRIVER has distributed new malware LOSTKEYS, primarily targeting Western government advisors, journalists, and NGOs using a deceptive social engineering tactic called ClickFix. This espionage-focused campaign leveraged a fake CAPTCHA site to trick victims into downloading the malware via PowerShell commands, noted for its highly selective deployment. LOSTKEYS capabilities include accessing and exfiltrating files from specified directories and extensions, gathering system information, and monitoring running processes. The malware was identified in multiple instances throughout January, March, and April 2025, with preliminary activities traced back to December 2023 involving artifacts resembling Maltego binaries. COLDRIVER, also known as Callisto, Star Blizzard, and UNC4057, has evolved from credential phishing to complex malware delivery, and strategically deploys malware to infiltrate specific high-value targets. The technique involves initial redirection to a decoy website posing a CAPTCHA challenge, misleading victims into executing a command that downloads subsequent malware payloads designed to evade detection in virtual environments. Additional context on the global rise of the ClickFix method revealed its adoption across various cybercriminal campaigns, including those distributing banking Trojans and information stealers, like in the cases of Lampion and Atomic Stealer.

Ubuntu 25.10 will implement sudo-rs, a Rust-based version of the sudo command, as its default to enhance memory safety and reduce security vulnerabilities. Memory-safe programming languages like Rust are advocated by security experts and government bodies like CISA to prevent common bugs that lead to serious system vulnerabilities. The sudo-rs project, sparked by the Internet Security Research Group's Prossimo initiative and financially backed by AWS, aims to replace traditional C-based utilities with more secure Rust versions. Historical vulnerabilities in traditional sudo have included severe memory safety issues, demonstrating the need for the transition to a memory-safe language. Other core utilities beyond sudo are also being rewritten in Rust, with adoption in various security-focused Linux distributions and support from major stakeholders like AWS and Canonical. Canonical's switch to sudo-rs aligns with broader industry movements toward enhancing core system software resilience and security through memory-safe programming practices. The shift to Rust-written utilities like sudo-rs is seen as crucial for improving system security, despite the ongoing debate and resistance within parts of the open source community.

Cisco has patched a critical vulnerability in its IOS XE Wireless Controller software, identified as CVE-2025-20188. This flaw, rated 10.0 in severity on the CVSS scale, could allow unauthenticated remote attackers to execute arbitrary commands with root privileges. The vulnerability is due to a hard-coded JSON Web Token in the system, exploitable through crafted HTTPS requests. Affected devices must have the Out-of-Band AP Image Download feature enabled, which is disabled by default, to be vulnerable. Cisco urges users to update their systems or disable the Out-of-Band AP Image Download feature as temporary mitigation. The vulnerability was discovered internally by Cisco's Advanced Security Initiatives Group with no known malicious exploitation reported so far.

PowerSchool, an educational tech provider, paid ransom to delete stolen data of over 60 million K-12 students and teachers, aiming to prevent its public release. Despite paying the ransom, extortionists allegedly retained copies of sensitive data, including names, Social Security numbers, and medical information. The Toronto District School Board, along with other North American school districts, recently reported extortion attempts demanding ransoms based on the stolen data. PowerSchool initially believed the data was deleted by the ransomware group as per their agreement, but recent events indicate the data might still exist. The ongoing extortion impacts various school districts, creating significant concern and prompting investigations by law enforcement. PowerSchool is no longer considering ransom payments and has pledged to provide two years of credit monitoring for those affected by the breach. The situation highlights the risks and challenges associated with negotiating with cybercriminals, as they may not honor their commitments.

LockBit ransomware gang's dark web affiliate control panels were compromised and defaced. The incident involved the panels displaying a message and linking to a downloadable database dump from the MySQL affiliate panel. Analysis of the database shows details from 20 tables, including negotiation chats with last entries dated April 29th, 2025. The cause and perpetrator of the data breach remain unclear, though signs suggest similarities to another recent ransomware group breach. The server was found to be running a vulnerable version of PHP that allowed remote code execution. Despite a significant law enforcement operation in 2024 that weakened LockBit, they managed to continue operations until this latest breach. It is uncertain if this breach will critically impact LockBit’s operational capabilities and reputation permanently.

CrowdStrike, a prominent cybersecurity firm, announced significant job cuts, amounting to around 500 positions or 5% of its workforce. CEO George Kurtz attributed the downsizing to an investment in artificial intelligence (AI) to enhance efficiency and speed up operations. Kurtz emphasized that AI is foundational to CrowdStrike's operations, aiming to flatten the hiring curve and expedite the development from idea to product. The use of AI could, however, introduce potential liabilities, including issues with generative AI producing errors, bias, or unreliable outputs as per the company's risk disclosures. CrowdStrike’s move is part of a larger trend where companies like Workday are also leveraging AI but facing related challenges and risks, including potential litigation related to AI usage. The implementation of AI is viewed as crucial for CrowdStrike to achieve its ambitious goal of reaching $10 billion in annual revenue. Economic uncertainties and potential tariffs also play a role in staffing decisions, as indicated by other firms like United Parcel Service making similar workforce reductions.

A federal judge has allowed parts of a class action lawsuit to proceed against Delta Air Lines, stemming from disruptions caused by a faulty CrowdStrike software update. The software issue, which occurred in July 2024, led to Delta cancelling over 4,500 flights, significantly more than other airlines affected by the same issue. Plaintiffs argue that Delta’s handling of refunds and compensation was inadequate, claiming the airline offered only partial reimbursements without clear conditions. Legal claims focus on alleged breach of contract for failing to refund and violations under the Montreal Convention, which governs international airline liability. Delta estimated its operational losses at approximately $500 million due to the outage but attempted to dismiss the lawsuit. The court's decision allows the lawsuit to continue on specific counts, emphasizing passengers' rights to seek accountability and proper compensation. Pre-trial discovery is set to proceed with a new joint report due by May 20.

PowerSchool confirmed the hacker from their December 2024 breach is now extorting individual school districts, threatening to release stolen data unless paid. Although PowerSchool paid the ransom initially to protect its data from public exposure, the threat actor is contacting schools directly to extort them. The company has involved law enforcement in the U.S. and Canada and is assisting affected school districts. Stolen data includes sensitive information like SSNs, medical records, and personal contact details of students and teachers. PowerSchool is offering two years of free credit monitoring and identity protection for students and faculty to mitigate potential fraud and identity theft risks. Security experts criticize the decision to pay ransoms, as there's no assurance that threat actors will delete the stolen data as promised. This incident highlights the growing issue of threat actors reneging on ransom agreements, as seen in similar recent high-profile cases.

CoGUI phishing kit emerged as a major threat, sending over 580 million emails from January to April 2025 to steal credentials and payment data. Proofpoint researchers tracked the massive scale of operations, noting the unprecedented volume of phishing activities associated with CoGUI. The campaigns impersonated well-known brands and institutions such as Amazon, PayPal, and various banks, primarily targeting users in Japan. Attack methodology includes sending phishing emails with urgent prompts, directing users to fake websites only if they meet specific criteria like location and device type. Users meeting the criteria are presented with fake login forms designed to harvest sensitive personal and financial information. Although initially linked to China-based operatives similar to the Darcula phishing kit, CoGUI has been determined to function independently, possibly supporting multiple Chinese cybercriminal entities. Apart from Japan, smaller campaigns have been observed in the United States, Canada, Australia, and New Zealand, with shifting tactics including smishing attempts in the U.S. Effective prevention includes cautious handling of urgent and unsolicited digital communications and verifying authenticity through direct, secure channels rather than email-provided links.

Surfshark's study reveals Google Chrome as the top data-collecting mobile browser, capturing 20 different types of user data including financial and location information. Safari, Chrome's closest competitor in terms of market share, also ranks high in data collection but includes fewer types than Chrome. The research highlights Bing app as another major collector, pulling 12 data types, while Safari and Firefox each collect 8 types. Specific data collections such as precise location tracking were unique to certain browsers like Bing, which also shares data for third-party advertising. Less popular browsers like Brave and Tor show significantly lower data collection, promoting user privacy with minimal data retrieval. The findings underscore the privacy implications of using dominant browsers and how they might use the significant data they collect, potentially for targeted advertising or selling to data brokers. Surfshark analyzed the privacy policies of these browsers as listed on the Apple App Store to compile their report.