MONTHLY WRAP MONTHLY WRAP

Overview

The convergence of stealth, scale, and sophistication defines the cyber threat landscape in May 2025. Threat actors increasingly blend low-tech social engineering with high-tech delivery, using tactics like ClickFix and AI-generated phishing kits to bypass traditional defenses. Campaigns are shifting toward OS-agnostic infections, with Java-based malware, LNK file chains, and cross-platform loaders like ModiLoader and MintsLoader seen in active use. Attackers are exploiting zero-days (Android FreeType RCE, macOS Mach IPC, BitLocker PXE bypass) and abusing trusted infrastructure like Gmail SMTP, Google Calendar, and OneDrive OAuth to establish persistent access and exfiltrate sensitive data without detection.

Industries most affected include Healthcare, Finance, Defense, and the broader Tech sector. Healthcare providers are under fire due to genAI misuse, insecure cloud usage, and a lack of DLP enforcement. At the same time, cryptocurrency users and financial firms are frequent targets for Discord phishing, PDF malware, and Telegram-based stealers. Government agencies remain high-value espionage targets for APT28, APT37, Void Blizzard, and others, with operations leveraging spoofed military invites, OAuth tokens, and adversary-in-the-middle phishing. Developers and tech platforms are exposed through npm, PyPI, Golang, and VSCode supply chain compromises, as attackers exploit default templates and overlook configuration risks.

The rise of malware-as-a-service (MaaS) operations like Golden Chickens and phishing kits like CoGUI illustrates how cybercrime is scaling faster than many defenses can adapt. AI is compounding the risk used to generate malicious content and to hallucinate code dependencies that attackers weaponize through slopsquatting. The boundary between nation-state espionage and financially motivated crime continues to blur, with dual-use malware, ransomware prep work, and deep persistence techniques appearing across sectors. As attackers increasingly use cloud platforms, AI assistants, and trusted services as part of their kill chains, defenders must rethink perimeter-based models and prioritize behavioral detection, access control, and real-time threat monitoring.

  • AI Agents Abuse in SharePoint Copilot: Copilot extracted sensitive data across restricted SharePoint files without leaving access logs.
  • AI-Driven Ransomware Hits SMBs: Chimera malware used spoofed Slack messages and internal email to cripple businesses in hours.
  • BitLocker Bypass Revived: Bitpixie (CVE-2023-21563) extracts encryption keys via bootloader downgrade with no hardware access required.
  • ClickFix Expands to Linux: APT36 now targets Windows and Linux users with platform-specific commands via fake Ministry of Defence portals.
  • Cloud Exploitation via Gmail Tunnels: PyPI supply chain attack used Gmail’s SMTP service to exfiltrate data and execute remote commands.
  • Chrome Tops Privacy Risk List: Chrome collects 20+ user data types, including payment data and full contact lists; privacy-first browsers collect near zero.
  • GenAI Risks in Healthcare Soar: 90% of organizations in the Healthcare sector embed genAI tools into workflows which raisies compliance and leak risks.
  • Host Header Injection Surges: Poor host header validation lets attackers hijack password resets, poison caches, and pivot through internal services.
  • Phishing-as-a-Service Scale Exposed: LabHost enabled 10,000 users to impersonate 200+ brands, harvesting over 1M credentials and 500K credit cards.
  • Stegomalware Delivers Ransomware: PowerShell payloads embedded in JPEG files bypass AV and execute in memory, staying off disk.

Industries Targeted

  • Defense & Government: Ongoing espionage from APT28, Void Blizzard, and UnsolicitedBooker targeting NATO, Ukraine, and South Asia.
  • Financial Sector: CoGUI, ClickFix, and RATs deployed through PDF invoices and Discord phishing to steal funds and credentials.
  • Healthcare: Malware delivered through GitHub and cloud storage; genAI misuse and DLP blind spots dominate risks.
  • Retail & Logistics: RomCom and Nebulous Mantis targeted logistics companies with spoofed support portals and phishing lures.
  • Software Development: Golang, Python, and npm hit by slopsquatting, fake dev tools, and malware in VSCode extensions.
  • Technology: OneDrive OAuth, AWS Amplify, and Microsoft Copilot vulnerabilities elevate supply chain and SaaS risk.

Most Active Threat Actors

  • APT37 (North Korea): “ToyBox Story” campaign delivered RoKRAT via Dropbox APIs and spoofed South Korean think tanks.
  • COLDRIVER (Russia): Moved from phishing to LOSTKEYS malware using ClickFix, targeting Western gov and military circles.
  • Golden Chickens (eCrime): Released TerraStealerV2 and TerraLogger, focusing on browser data theft and Telegram-based exfiltration.
  • Luna Moth (eCrime): Deployed AI chatbots in fake IT portals to socially engineer remote access into law firms and finance.
  • Nebulous Mantis (Russia): Ran RomCom campaigns using fake customer support forms and IPFS to target national infrastructure.
  • UnsolicitedBooker (China): MarsSnake backdoor used in persistent espionage against Saudi-based diplomatic entities.

Vulnerability Asset Management

The Hidden Time Bomb: Why End-of-Life Software Poses Critical Cybersecurity Risks

Many organizations continue operating end-of-life software, creating exploitable vulnerabilities that attackers increasingly target. Recent incidents highlight this crisis, including ransomware attacks exploiting unpatched Windows Server 2012/R2 systems after their 2023 end-of-support. The approaching Windows 10 end-of-support in October 2025 will leave enterprise workstations without security patches, creating widespread vulnerability exposure across organizational endpoints. This transition affects organizations still running Windows 10 on millions of devices that may not meet Windows 11 hardware requirements, forcing difficult decisions between costly hardware upgrades, extended support contracts, or accepting unpatched systems. For government agencies and DoD contractors, end-of-life software violates CMMC 2.0 requirements and jeopardizes contract eligibility. Attackers rapidly exploit vulnerabilities in unsupported software, while organizations often discover these systems only after incidents occur.

Unsupported software creates cascading business risks beyond missing patches. Security vulnerabilities accumulate without remediation, while compatibility issues with modern security tools create defense blind spots. This problem intensifies because while new vulnerabilities capture headlines and immediate security attention, attackers predominantly exploit older, well-documented vulnerabilities—precisely those accumulating in end-of-life systems. Legacy software becomes a target-rich environment where known attack vectors remain permanently unpatched, giving adversaries reliable entry points that security teams cannot address through traditional patch management. These weaknesses trigger regulatory violations—particularly for FedRAMP, CMMC 2.0, and government contracts requiring supported software. Cyber insurers increasingly exclude coverage for end-of-life software breaches, exposing organizations financially. Business continuity suffers through unexpected failures, compatibility issues, and the inability to integrate with modern systems. Even "air-gapped" legacy systems may pose risks, as attackers use them for persistence and lateral movement within networks.

Strategic end-of-life software management provides competitive advantages while avoiding costly emergency migrations. Start with comprehensive software discovery and lifecycle tracking to identify at-risk systems before support ends. Prioritize risks by evaluating business criticality, network exposure, and available alternatives. Plan phased migrations with testing, training, and rollback procedures to ensure continuity. Select vendors with strong support records, clear lifecycle policies, and alignment with cloud-native and zero-trust trends. Organizations viewing software modernization as a strategic investment—not an expense—demonstrate superior security, operational efficiency, and digital transformation capability. Proactive leaders position their organizations for growth by maintaining modern, supported environments that enable innovation and competitive advantage.

Hunter Insights

The May 2025 threat landscape reveals a concerning maturation of cybercrime infrastructure where sophisticated nation-state techniques are rapidly commoditizing through MaaS platforms, democratizing advanced persistent threats that smaller threat actors can now deploy at scale. The convergence of AI-generated content, trusted platform abuse (Gmail SMTP tunneling, OAuth token manipulation), and OS-agnostic attack vectors signals that traditional perimeter defenses and signature-based detection are becoming increasingly obsolete. Looking ahead, we can expect the acceleration of "living off the cloud" attacks where threat actors exclusively leverage legitimate SaaS platforms for command and control, making attribution and detection more difficult. The healthcare sector's 90% genAI adoption rate without corresponding security controls foreshadows a potential crisis where AI assistants become both attack vectors and inadvertent data exfiltration tools. At the same time, the blurring lines between espionage and cybercrime suggest that ransomware operations will increasingly incorporate nation-state tradecraft for initial access and persistence. Organizations must prepare for a paradigm shift toward zero-trust architectures with behavioral analytics and real-time monitoring as the traditional distinction between internal and external threats dissolves in cloud-native environments where legitimate services become the primary attack infrastructure.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.