BlackSuit Ransomware Infrastructure Disrupted in International Law Enforcement Operation

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. The operation was supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns, while TRM Labs pursued leads tied to the Bl00dy ransomware group in Ghana and RansomHub. Notable actions included dismantling 25 cryptocurrency mining centres in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. Additionally, a transnational inheritance scam originating in Germany was disrupted, with losses estimated at $1.6 million. Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. Earlier, Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices. The operation was part of the 'African Joint Operation against Cybercrime.' Participating countries included Seychelles, Tanzania, Ghana, Kenya, and others. Operation Serengeti 2.0 is part of a series of multi-month investigations and arrests highlighted by Interpol. The original Operation Serengeti involved two months of investigations with the African Union's Afripol and raids against 1,006 suspects in September and October 2024. In 2022, Interpol and 27 African nations conducted joint investigations as part of Operation Cyber Surge, following up in April 2023 with Operation Cyber Surge II. These joint investigations aim to train local law enforcement and prosecutors, which Interpol has noted are often hard-pressed to deal with the technical requirements of cybercrime prosecutions. In addition, the race is to deter cybercrime, redirect youth into more productive activities, and train law enforcement before the cybercriminals become too smart.

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.

The North Korean threat group Scarcruft (APT37) has launched a campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.