Verticals Targeted: Finance, Construction, Manufacturing, Technology
Regions Targeted: US, UK, Canada
Related Families: Cobalt Strike, Meterpreter
Verticals Targeted: Government, Defense
Regions Targeted: Ukraine, Bulgaria, Romania, Africa, EU, South America
Related Families: None specified
Executive Summary
Operation RoundPress, a Russia-aligned cyberespionage campaign attributed to Fancy Bear, deploys SpyPress malware via cross-site scripting (XSS) vulnerabilities to steal sensitive email data from high-value webmail servers. Active since 2023 and expanding in 2024, the campaign primarily targets Ukrainian government entities and Eastern European defense contractors, exploiting zero-day and known vulnerabilities across platforms like Roundcube, Horde, MDaemon, and Zimbra.
Verticals Targeted: NGOs, Diplomats, Government
Regions Targeted: Western countries, Eastern Europe, Ukraine
Related Families: Spica
Executive Summary
Star Blizzard, a Russian state-sponsored threat actor, has deployed a malware family named LOSTKEYS to steal sensitive documents and system information from NGOs, diplomats, and government officials in Western countries and Eastern Europe.
Verticals Targeted: E-commerce
Regions Targeted: Not specified
Related Families: None identified
Executive Summary
PupkinStealer, a .NET-based infostealer written in C#, targets sensitive data such as browser credentials and desktop files, exfiltrating it via Telegram’s Bot API. First observed in April 2025, its simplicity and reliance on legitimate platforms make it a notable threat.
Related Families: Amadey
Executive Summary
StealC V2, a sophisticated evolution of the StealC information stealer, introduces enhanced payload delivery, RC4 encryption, and a redesigned control panel, posing significant risks to organizations.
Related Families: VenomLNK, TerraLoader, TerraStealer, TerraTV, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, Venom Loader
Executive Summary
TerraStealerV2 and TerraLogger are two new malware families from Venom Spider, enhancing their Malware-as-a-Service (MaaS) platform with credential theft and keylogging capabilities. These tools, observed between January and April 2025, indicate active development but lack the sophistication of mature Venom Spider malware.
Verticals Targeted: Gambling
Regions Targeted: Philippines, Cambodia, United Arab Emirates, China, Hong Kong
Related Families: WizardNet, DarkNights (DarkNimbus)
Executive Summary
TheWizards APT group leverages Spellbinder, a sophisticated lateral movement tool, to conduct adversary-in-the-middle (AitM) attacks, hijacking legitimate Chinese software updates to deploy the WizardNet backdoor. This activity targets gambling companies and individuals across Asia and the Middle East.
Verticals Targeted: Cryptocurrency, Social Media, Communications
Regions Targeted: Russia, United Kingdom, Germany, Netherlands, Brazil
Related Families: Dwphon, MobOk