March 27, 2025

Cyber Threat Report: Nation-State Espionage, Ransomware, and Emerging Cybercrime Trends

Stay Updated on the Latest Cyber Threats, Including Nation-State Espionage, Ransomware Attacks, Zero-Day Exploits, and Data Breaches. Learn How Apt Groups and Cybercriminals Are Evolving Their Tactics.

Will BurnsIT Engineer
Nation-State Espionage and APT Campaigns
Chinese APT ‘FamousSparrow’ Resurfaces: Researchers from ESET uncovered new activity by the Chinese state-linked hacking group FamousSparrow, which had been dormant since 2022. The group has been targeting organizations in the U.S., Mexico, and Honduras, deploying upgraded variants of its custom backdoor SparrowDoor. Code overlaps confirm the link to previous FamousSparrow campaigns, which were known for targeting hotels and even government agencies. Recent victims include a U.S. trade association, a Honduran government entity, and a Mexican research institute, indicating the group’s cyber-espionage operations are active once again.
Chrome Zero Day Used in Russian Espionage Campaign: Google released an emergency Chrome update after Kaspersky researchers discovered a zero-day vulnerability (CVE-2025 2783) being exploited in the wild. The high-severity flaw, an “incorrect handle” issue in Chrome’s Mojo, allowed attackers to escape the browser sandbox and deliver malware. The exploit was used in a cyber-espionage campaign dubbed “Operation ForumTroll,” which targeted Russian media and educational organizations via phishing emails posing as invitations to a conference. Google has patched the bug in Chrome 134.0.6998.178 for Windows, and most users are advised to update immediately, as attackers chained this sandbox escape with a second exploit to fully compromise targets.
Ransomware and Cybercrime Attacks
New ‘Arkana’ Ransomware Hits U.S. Telecom: A newly emerged ransomware gang calling itself Arkana Security claims to have breached WideOpenWest (WOW!), a U.S. cable and broadband provider. The group listed WOW! on its leak site as its first victim, alleging it gained deep access to internal systems (like AppianCloud and Symphonica) and stole two databases holding ~2.6 million combined customer accounts. Arkana has threatened to leak or sell the stolen data – which purportedly includes usernames, passwords, emails, and more – and even to deploy malware to customer devices if a “fee” (ransom) is not paid. The gang also doxxed company executives on its site. WOW! has not confirmed the hack and is working to validate the claims while facing potential reputational and legal fallout.
Ransom Demand Disrupts Malaysian Airport: Over the weekend, Malaysia’s busiest airport, KLIA, suffered computer outages that authorities now attribute to a cyberattack on the airport operator. Officials confirmed the attack began March 23 and involved perpetrators demanding a $10 million ransom from Malaysia Airports Holdings Berhad. Malaysia’s Prime Minister Anwar Ibrahim stated he immediately refused to pay, asserting the country would not bow to “ultimatums by criminals”. While no specific ransomware group has claimed responsibility and officials have not confirmed if ransomware was used, the incident caused over 10 hours of disruptions – flight info displays went down and staff resorted to manual whiteboard communication. Airport operations continued with backups, and authorities are investigating as the government faces criticism for initial opaque communications about the “network failure.”
Cyberattack on South African Food Producer: South Africa’s largest poultry supplier, Astral Foods, revealed that a March 16 cyberattack cost it roughly 20 million rand (~$1 million) in lost profits due to a week-long operational disruption. The attack forced Astral to enact full disaster recovery procedures, causing downtime in chicken processing and delivery backlogs. By March 25 the company had recovered systems and reported that all business units were operating normally. Astral stated no sensitive customer or supplier data was compromised in the “cyber intrusion”. While the company did not disclose the attack type or culprit, no known ransomware gang has claimed credit as of this week. The incident underscores the risk to agricultural supply chains – over 167 ransomware attacks hit the food/agriculture sector in 2023, and even brief IT outages can significantly impact production and earnings.
Ransomware Gang Exploits Windows Zero Day: Security researchers revealed that a Russian ransomware outfit (tracked as EncryptHub/RansomHub) was exploiting a previously unknown Windows vulnerability before Microsoft’s patch. The flaw (CVE-2025-26633) in the Windows Management Console (MMC), patched in early March, was used to execute code and steal data from targets as part of an extortion campaign. The attackers crafted malicious Microsoft Console (.msc) files and tricked the system into loading them via a path hijacking trick in the MMC’s multi-lingual interface, allowing them to run commands without detection. Trend Micro investigators warn that this “MSC Evil Twin” technique let the group deploy payloads including info-stealers (EncryptHub stealer, Rhadamanthys) and backdoors. This case highlights how ransomware gangs are increasingly using zero-day exploits to infiltrate organizations. Microsoft’s Patch Tuesday fix is available, and businesses are urged to apply it given active exploitation.
Corporate Espionage Group Turns to Ransomware: In an unusual crossover, the corporate espionage crew known as RedCurl has started using ransomware in some attacks. Active since 2018, RedCurl traditionally focused on stealthy data theft from global companies. However, new research by Bitdefender observed RedCurl deploying a custom ransomware dubbed “QWCrypt” to encrypt files on victims’ Hyper-V virtual servers. In a recent case, RedCurl hackers broke from their normal playbook of long-term espionage and unleashed ransomware, marking the first such instance for the group. The attack chain began with phishing emails carrying malicious .IMG attachments (disguised as job resumes) to infect systems. Once inside, the attackers leveraged “living-off-the-land” techniques and a custom lateral movement tool to avoid detection. The QWCrypt malware is tailored for virtual environments (with options to shut down or exclude certain VMs) and adds a “.locked$” extension to encrypted files. Notably, RedCurl does not operate a public leak site, fueling speculation that their use of ransomware may be intended as a false-flag distraction or for pure disruption rather than typical double-extortion. This development blurs the line between state-linked espionage and financially motivated cybercrime.
Data Breaches, Leaks, and Cyberattacks
NYU Admissions Data Leak via Website Defacement: Over one million New York University applicants had personal data exposed in a brazen breach of the university’s website. On March 22, a hacker group took control of NYU’s homepage for roughly three hours, replacing it with charts and links to admissions datasets sorted by race. The attacker claimed to have redacted identifying details, but in reality a vast amount of PII was leaked – including names, addresses, phone numbers, emails, GPAs, and more dating back decades. NYU’s IT team worked with an outside consultant to quickly regain control of the site and is now notifying affected individuals per legal requirements. The hacker, who asserted affiliation with a group called “Computer Niggy Exploitation,” said the attack was a protest of U.S. college affirmative action policies. They similarly breached the University of Minnesota last year, leaking millions of student Social Security numbers in an anti-affirmative-action stunt. Despite the attacker’s claimed social motive, the incident is being investigated by law enforcement and highlights serious security gaps in NYU’s web infrastructure.
StreamElements Third-Party Breach Exposes Creators: Streaming services provider StreamElements disclosed that a breach at one of its former third-party vendors led to a leak of streamer data. On a hacking forum last week, a threat actor posted samples of data for 210,000 StreamElements users, including names, email addresses, physical addresses, and phone numbers. The hacker (alias “victim”) claimed to have infected a StreamElements employee’s machine with malware, using stolen credentials to access an old order management database from 2020–2024. StreamElements confirmed that while its own servers were not compromised, the outdated data stored with a retired partner was exposed. Affected users are being contacted, and all users have been warned to watch out for phishing scams – in fact, opportunistic attackers are already sending fake “data breach” notification emails to exploit the situation. The original forum post offering the data has since been deleted, and StreamElements is investigating alongside law enforcement while accelerating efforts to securely dispose of legacy data.
DeFi Platform Heist – $13M Stolen from Abracadabra Finance: Decentralized finance platform Abracadabra Finance suffered a cryptocurrency heist on March 25, with hackers siphoning nearly $13 million worth of crypto from its protocol. The attack targeted Abracadabra’s “cauldron” lending pools – smart contracts allowing users to borrow against crypto collateral – exploiting a flaw that allowed draining of funds. The team acknowledged the incident on social media and froze the affected functionality pending investigation. Blockchain security firms traced the theft of 6,260 ETH (roughly $12.9M) during the attack. In response, Abracadabra offered the thief a bug bounty worth 20% of the stolen amount (~$2.6M) if they return the rest. The platform’s front-end website was temporarily replaced with a notice of unavailability, indicating the developers were in crisis mode. Multiple security analysts linked the exploit to interactions with the GMX decentralized exchange (whose tokens were used as collateral), though GMX stated its own contracts were not compromised. The incident is one of the larger DeFi thefts of 2025 so far, and Abracadabra is working with blockchain forensics (including Chainalysis) to track the stolen funds. Notably, the attacker funded the initial exploit via the Tornado Cash mixer – just days after U.S. courts lifted sanctions on that service.
Software Supply Chain Attacks and Vulnerabilities
Malicious npm Packages Backdoor Ethereum Library: Security researchers at ReversingLabs uncovered a novel malware campaign targeting software developers via the npm package repository. Two rogue packages named “ethers-provider2” and “ethers providerz” were uploaded to npm, masquerading as harmless tools, but in fact they hijack a widely used library called ethers (an Ethereum blockchain toolkit) by covertly adding a malicious patch. Once a developer inadvertently installs these packages, they silently modify the local ethers module by inserting a malicious file, effectively opening a backdoor on the developer’s system. Uniquely, the attack doesn’t directly install malware; instead it piggybacks on legitimate code already present, a stealth tactic that evades many scans. The malware erases its installation traces (like temporary files) to avoid detection, and even if the fake package is removed, the poisoned ethers library can persist or re-infect if reinstalled. In the final stage, the altered library establishes a reverse shell connection, granting the attackers full remote control over the developer’s machine. The npm security team has since removed at least one of the malicious packages, and additional related packages were identified and taken down. Developers are advised to check their projects for the indicators published by ReversingLabs (including a YARA rule) to ensure their environment hasn’t been compromised, underscoring the ongoing risks in the software supply chain.
Unpatched Flaws in Industrial Cameras (ICS): Researchers warned of serious unpatched vulnerabilities in production-line monitoring cameras made by Japan’s Inaba Denki Sangyo. The affected device, the Inaba Choco Tei Watcher Mini (model IB-MCT001), is used in factories to oversee manufacturing processes. Four types of security weaknesses were identified, including weak default password requirements, a client-side authentication loophole, and a “forced browsing” flaw that allows access to protected pages without login. An attacker with network access to a camera can potentially take full control of the device – viewing live video/audio feeds and even manipulating or deleting stored footage. This raises both espionage and safety concerns: intruders could spy on proprietary production techniques or erase incident footage to cover sabotage. No firmware patch is yet available; Inaba has only issued mitigations, advising customers to restrict network access to the cameras and use firewalls. The U.S. CISA and Japan’s JPCERT have posted advisories since these cameras are deployed globally, not just in Japan. Affected industries are urged to apply network segmentation and monitor these devices closely until Inaba releases fixes, as compromised industrial cameras could facilitate broader attacks on factory networks.
Healthcare Data Privacy Incident
Period-Tracking App Data Misuse (Flurry/Flo Health): In a notable privacy case, Flurry Inc., a now-defunct mobile analytics firm, agreed to pay $3.5 million to settle allegations that it illicitly harvested sensitive health data from a popular period-tracking app. According to a class-action lawsuit, Flurry’s software (embedded in the Flo Health menstruation app) collected users’ personal and sexual health details without proper consent and shared them with third parties like Meta and Google. Millions of women who used the Flo app between 2016 and 2019 had provided intimate information – from menstrual cycles and fertility intentions to whether they experience pain during sex – under the impression it would remain private. The complaint alleged Flurry’s SDK enabled surreptitious access to this data, violating user trust and privacy laws. The settlement, approved in a California federal court last week, addresses Flurry’s liability (other defendants like Meta are handled separately). Affected users will be notified as part of the class settlement. This case underscores growing concerns around health apps and data brokers: regulators are increasingly cracking down on the improper sharing of personal health information, even in the absence of a traditional data “breach.” Flurry’s penalty serves as a reminder that cybersecurity isn’t just about external hackers – it also covers the accountability of organizations in handling sensitive user data responsibly.
Sources: The Hacker News; BleepingComputer; The Record (Recorded Future); SecurityWeek; Hackread; South China Morning Post; official statements and advisories
therecord.media

Learn More about What We Do
    • Orion
    • Network Connectivity
    • Cloud Desktops
    • Data Protection
    • Trust & Compliance
    • Status
    Copyright © 2025 Stellar Technologies
    Copyright © 2025 Stellar Technologies