Svoboda Cybersecurity Brief May 23, 2025

May 23, 2025

DanaBot Malware Operators Charged After Infecting 300,000 Systems

The U.S. DOJ unsealed charges against 16 individuals linked to the DanaBot malware-as-a-service platform, which infected over 300,000 systems globally, causing $50M+ in damages. The malware stole credentials, hijacked banking sessions, and facilitated ransomware. A separate espionage-focused variant targeted military and government entities.
Impact: Credential theft, financial fraud, and espionage.
Mitigation: Seizure of C2 servers; victims advised to check for infections via Shadowserver Foundation.
Source: DataBreaches.net

Qakbot Leader Indicted After $24M Cryptocurrency Seizure

Russian national Rustam Gallyamov, leader of the Qakbot botnet, was indicted for enabling ransomware attacks (Conti, REvil, Black Basta) via initial access brokerage. The DOJ seized $24M in crypto and disrupted the botnet in 2023, but Gallyamov continued attacks via spam bombs in 2025.
Impact: 10M+ infections, $58M+ in damages.
Mitigation: Law enforcement takedown of infrastructure; organizations should monitor for spam bomb attacks.
Source: BleepingComputer

Chinese Hackers Exploit Ivanti EPMM Zero-Day for Espionage

UNC5221 exploited CVE-2025-4428 (RCE) in Ivanti EPMM to target healthcare, telecom, and government sectors. Attackers deployed KrystyLoader and exfiltrated LDAP/Office 365 tokens via compromised AWS S3 buckets.
Impact: Data theft, lateral movement, and persistent access.
Mitigation: Patch Ivanti EPMM; monitor for suspicious AWS S3 traffic.
Source: The Hacker News

Opexus Breach by Convicted Hackers Compromised Federal Data

Twin brothers Muneeb and Suhaib Akhter, previously convicted of hacking the State Department, breached Opexus (a federal contractor), deleting databases containing IRS and GSA data. The attack exploited insider access and poor security controls.
Source: DataBreaches.net

VanHelsing Ransomware Builder Leaked on Hacking Forum

The VanHelsing ransomware group leaked its source code (encryptor, affiliate panel) on RAMP after a developer attempted to sell it. The leak may lead to copycat attacks.
Impact: Lowered barrier for ransomware deployment.
Mitigation: Monitor for VanHelsing 2.0 variants; block known IOCs.
Source: DataBreaches.net

Fake Ledger Apps Steal Crypto Seed Phrases on macOS

Attackers used trojanized Ledger Live clones (e.g., “Odyssey” stealer) to phish 24-word seed phrases via fake error messages. The malware exfiltrates data to C2 servers.
Impact: Cryptocurrency wallet compromise.
Mitigation: Download apps only from official sources; never enter seed phrases outside hardware wallets.
Source: BleepingComputer

Unpatched Versa Concerto Flaws Allow Host Takeover

Three flaws (CVE-2025-34027, CVE-2025-34026, CVE-2025-34025) in Versa’s SD-WAN platform enable RCE via LD_PRELOAD and Docker escape. No patch available despite disclosure in February 2025.
Impact: Full host compromise.
Mitigation: Block semicolons in URLs; restrict Traefik proxy headers.
Source: The Hacker News

UK Domestic Abuse Survivors’ Addresses at Risk After Legal Aid Breach

Cybercriminals may publish confidential addresses of abuse survivors from the UK Legal Aid Agency’s breached database. The government confirmed data was exfiltrated in 2025.
Source: DataBreaches.net

Texas Doctor Sentenced for $118M Insurance Fraud Scheme

Jorge Zamora-Quezada falsified rheumatoid arthritis diagnoses to bill insurers for unnecessary treatments, harming patients with toxic medications. Forfeited assets include a jet and Maserati.
Source: DataBreaches.net

Signal Blocks Microsoft Recall from Capturing Chats

Signal’s Windows app now enables DRM-based “screen security” by default to block Recall’s screenshot feature, citing privacy risks. Users can disable it but lose protection.
Source: BleepingComputer

Share this brief: https://svo.bz/pzgg

If you want to support us, you can donate here: Donate