Monthly Wrap - March 2025

Overview

March 2025 witnessed a significant escalation in both the volume and sophistication of cyber threats, underscoring the expanding capabilities of state-sponsored and financially motivated actors. Ransomware operations became increasingly targeted and adaptive, with new variants leveraging zero-day vulnerabilities, supply chain infiltration, and stealth-focused deployment techniques. Botnets exploiting unmonitored IoT devices surged, while advanced phishing campaigns employed novel formats, including SVGs and polymorphic Chrome extensions, to evade detection.

Nation-state actors, particularly from China, North Korea, Russia, and Iran, executed espionage-focused campaigns using modular malware frameworks, zero-day exploits, and covert communication protocols. Multiple APT groups weaponized previously undocumented vulnerabilities in widely deployed systems, including Kubernetes, Apache Tomcat, VMware, Juniper routers, and Microsoft’s WinDbg. Supply chain compromises also spiked, with malware-laced packages targeting npm, Go, and Ruby-SAML ecosystems. Mobile and browser-based threats grew in scale and complexity. Android malware families TsarBot and Crocodilus introduced sophisticated overlay and accessibility abuse tactics. Meanwhile, campaigns involving Rilide and Phantom Goblin targeted browser-based credential storage, cryptocurrency wallets, and developer tools.

Ransomware groups, including Medusa, Akira, and RedCurl, focused on Healthcare, Government, Financial, and Manufacturing sectors, using living-off-the-land techniques and legitimate tools for stealthy intrusions. New Linux-based backdoors, including OrpaCrab, also indicated increased adversary interest in OT and industrial systems. Artificial intelligence emerged as a dual-use technology exploited by threat actors to generate phishing scripts and foundational malware code. AI-lowered barriers of entry have enabled less technically adept criminals to execute increasingly effective attacks, marking a shift in the threat landscape. With six zero-days actively exploited in the wild this month, including in Chrome, Android, VMware, and Windows, the urgency for rapid patching and comprehensive visibility across hybrid environments has never been more apparent.

Key Trends Identified

• AI-Driven Attack Automation Emerges: DeepSeek and Operator AI were used to build malware, scripts, and phishing campaigns with little to no technical input.
• Critical Infrastructure Faces Targeted Exploitation: OT and SCADA systems, Kubernetes clusters, and Hyper-V servers were compromised via misconfigurations and tailored malware.
• C2 Frameworks Prioritize Stealth and Modularity: Specter Insight, VSCode Tunnels, recursive HTTP tunneling, and Telegram exfiltration enabled persistent, covert access across campaigns.
• DNS-Based Phishing Kits Emerge: Morphing Meerkat uses DNS MX record lookups to generate brand-specific phishing pages tailored to victims' email providers.
• GPU-Assisted Malware Evasion: CoffeeLoader leverages GPU operations and advanced obfuscation to evade EDR and deliver second-stage payloads.
• IoT Exploitation Fuels Malware Distribution and Control: Eleven11bot, BADBOX 2.0, and Akira exploited webcams, routers, and Bluetooth chips for ransomware, proxies, and covert access.
• Phishing Tactics Evolve Through Deception and Obfuscation: Threat actors deployed SVG payloads, polymorphic Chrome extensions, and fake reCAPTCHAs to evade defenses and steal credentials.
• Stealth Malware and Modular Backdoors Surge: StilachiRAT, Poco RAT, SparrowDoor, and EncryptRAT featured sandbox evasion, in-memory execution, and encrypted communications.
• Software Supply Chains are Increasingly Poisoned: Malicious packages in npm, Ruby-SAML, and Go ecosystems have enabled backdoor injection, credential theft, and persistent developer environment compromise.
• Zero-Day Exploitation Intensifies Across Platforms: At least six critical zero-days were abused in Chrome, VMware, Windows MMC, Android, and Paragon software to enable full system compromise.

Industries Targeted

• Energy & Critical Infrastructure: Ransomware groups exploited SCADA flaws and Hyper-V servers, targeting fuel systems, nuclear facilities, and maritime infrastructure for disruption and surveillance.
• Financial Sector: Lazarus Group, TsarBot, and Crocodilus malware aggressively targeted financial institutions and malicious Chrome extensions.
• Government & Defense: APT groups launched spear-phishing, web shell deployments, and infrastructure exploitation campaigns against diplomatic entities and U.S. federal agencies, with over 150 government servers found publicly exposed.
• Healthcare: Medusa and VanHelsing ransomware targeted healthcare providers in attacks that leveraged AnyDesk and malicious OAuth apps to access Microsoft 365 accounts and deliver malware.
• Technology & SaaS Providers: Microsoft Outlook outages, Apache Tomcat RCE, and GitHub-based malvertising campaigns.
• Telecommunications: Weaver Ant, SideWinder, and Eleven11bot compromised telecom networks through credential theft, botnet-fueled DDoS attacks, and espionage, impacting providers across Asia and the West.

Most Active Threat Actors

• APT41 (China): Exploited Check Point VPN (CVE-2024-24919) for supply chain espionage, deploying ShadowPad malware.
• Darcula 3.0 (PhaaS Platform): Enabled custom phishing kit generation for any brand, increasing accessibility to low-skill attackers.
• Kimsuky (North Korea): Tricked victims into manually executing PowerShell scripts, bypassing traditional security defenses.
• Lazarus Group (North Korea): Used CAPTCHA phishing pages and Lumma Stealer to steal credentials and cryptocurrency wallets.
• LockBit Ransomware: Exploited Atlassian Confluence (CVE-2023-22527) for rapid ransomware deployment.
• Mustang Panda (China): Abused Microsoft MAVInject[.]exe to evade detection while implanting backdoors in Asia-Pacific targets.
• PolarEdge Botnet Operators: Exploited legacy Cisco, QNAP, and Synology devices, using them for espionage and cyberattacks.

Future Predictions

• Browser and Credential Theft will Intensify: Polymorphic extensions, OAuth misuse, and stealers will dominate identity and financial data exfiltration.
• Cloud and SaaS Ransomware Attacks Will Increase: Adversaries will abuse cloud-native tools and OAuth in Microsoft 365 to deploy malware-less ransomware and disrupt operations.
• Espionage Targeting will Expand Globally: State-backed actors will deepen surveillance on governments and infrastructure using modular malware and encrypted cloud C2 channels.
• IoT Device Exploitation will Accelerate: Botnets including, Ballista and Eleven11bot, target routers and consumer-grade devices for DDoS, proxies, and lateral movement.
• Supply Chain Intrusions will Escalate: Threat actors will weaponize open-source ecosystems to poison dependencies and compromise developer pipelines during builds.

Vulnerability Asset Management

Prioritizing Vulnerabilities by Business Impact

Let's face it—we all know not every security vulnerability deserves the same level of attention. Some could hurt our operations or expose sensitive data, while others affect systems we could live without. When we take a business-impact approach, we look beyond technical ratings to ask what matters: "What happens to our business if this gets exploited?" We consider how it might disrupt our day-to-day operations, whether customer data is at risk, what compliance headaches could result, and the potential hit to the bottom line. It's about connecting security issues to real business concerns rather than just focusing on technical scores that might not tell the whole story. This approach helps us make more intelligent decisions with our limited resources. Instead of trying to fix everything at once, we can take a realistic approach to focus our team's efforts on closing the vulnerability gaps that threaten the most critical assets first. When our security work clearly protects what's most important to the business, it's much easier to show the value of what we're doing—keeping our business running smoothly. Plus, it creates a common language about risk that everyone from IT to the executive team can understand, making the question “Which vulnerabilities should we fix first?” much easier to answer.