This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 4 minute read

Ankura CTIX FLASH Update - May 2, 2025

Malware Activity

 

Cyber Threats Evolve: From IPv6 Exploits to International Espionage Campaigns

Recent cybersecurity developments reveal a complex landscape of cyber threats exploiting advanced techniques and geopolitical tensions. Hackers are exploiting a vulnerability in IPv6 networking to hijack software updates, potentially allowing them to distribute malicious code and compromise affected systems. By manipulating IPv6 features, attackers can redirect legitimate update traffic, making it difficult for users to detect the malicious activity. This abuse poses a significant security risk as IPv6 adoption accelerates globally with many organizations and devices increasingly relying on IPv6 for connectivity. Meanwhile, in Eastern Europe, Eurasia, and Russian companies across various sectors have been targeted in a large-scale phishing campaign delivering the sophisticated DarkWatchman malware, which is capable of keylogging and system information theft while evading detection. The attacks, attributed to the financially motivated Hive0117 group, have affected entities in Russia, Lithuania, Estonia, and Kazakhstan, with recent efforts using password-protected archives and courier-themed lures.  On the geopolitical front, a sophisticated Chinese threat actor known as APT27, which employs a tool called "In The Middle" to facilitate its cyber espionage activities. This adversary demonstrates advanced capabilities, including targeted malware deployment and strategic use of proxy servers to mask its operations and evade detection. Researchers highlight how APT27's techniques underscore the growing sophistication of Chinese cyber espionage efforts, emphasizing the need for robust defense mechanisms. Additionally, TheWizards, a China-aligned APT group, has developed Spellbinder, a tool that facilitates lateral movement and Man-in-the-Middle attacks via IPv6 SLAAC spoofing, enabling hijacking of software update processes like those of Sogou Pinyin and Tencent QQ to deliver malicious payloads such as the WizardNet backdoor. Since at least 2022, they have exploited these update mechanisms to deploy malware targeting sectors in Asia, using sophisticated DNS hijacking techniques to intercept and redirect legitimate updates. Their arsenal also includes DarkNights, linked to another Chinese threat group, with support from a Chinese security contractor, highlighting a complex cyber-espionage network targeting popular Chinese platforms and sectors. These campaigns underscore a rising trend of automated, supply chain, and espionage tactics targeting critical infrastructure and technology sectors, highlighting the urgent need for robust, adaptive cybersecurity defenses to counter increasingly sophisticated and state-sponsored threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

 

Threat Actor Activity

 

RansomHub Operation Has Been Dark for a Month, with Affiliates Migrating to Other Services

RansomHub's online infrastructure mysteriously went offline on April 1, 2025, causing uncertainty among its affiliates. This disruption has led many affiliates to migrate to Qilin, with its data leak site seeing increased activity. RansomHub, which emerged in February 2024, had become prominent by replacing LockBit and BlackCat, attracting affiliates like Scattered Spider and Evil Corp with lucrative payment schemes. The operation featured a multi-platform encryptor effective on various architectures, avoiding targets in CIS countries, Cuba, North Korea, and China. Affiliates were provided tools like the "Killer" module, although it was discontinued due to detection issues. Cyber-attacks leveraged JavaScript malware SocGholish to deploy Python-based backdoors linked to RansomHub affiliates. On November 25, 2024, a note warned affiliates against targeting government institutions due to high risks. The infrastructure downtime has led to "affiliate unrest," with DragonForce claiming RansomHub's migration to their systems. It should be noted that DragonForce recently rebranded as a "cartel," allowing affiliates to create their own brands, contrasting traditional RaaS models. This offers infrastructure and tools without requiring the use of DragonForce's ransomware. Reports circulated of RansomHub's possible shutdown or rebrand due to member departures, with former affiliates joining other groups like VanHelsing and RansomBay now running on DragonForce systems. There are many differing models and approaches threat actors will adopt to stay competitive and successful in the cybercriminal marketplace. New ransomware actors like Anubis and ELENOR-corp have emerged, showcasing novel tactics and targeting high-risk industries like healthcare. Anubis uses a "data ransom" method, threatening regulatory disclosures, while ELENOR-corp employs advanced anti-forensic measures. The landscape is characterized by innovation and adaptability in response to law enforcement pressures. Other groups like CrazyHunter, Elysium, FOG, Hellcat, Hunters International, Interlock, and Qilin demonstrate diverse strategies in deploying ransomware, leveraging techniques such as zero-day exploits, phishing, and sophisticated social engineering.

 

Vulnerabilities

 

Hackers Exploit Critical Microsoft Azure Zero-Day Vulnerability

An unknown nation-state threat actor exploited CVE-2025-3928, a critical remote code execution vulnerability (CVSS 8.7/10), to breach Commvault’s Microsoft Azure environment and deploy webshells, although Commvault confirmed no unauthorized access to customer backup data or material business impact. The vulnerability, which affects Commvault software versions prior to 11.36.46, 11.32.89, 11.28.141, and 11.20.217, was initially exploited as a zero-day before being patched in late February 2025. Commvault learned of the intrusion from Microsoft on February 20, 2025, and has since rotated credentials, improved security monitoring, and notified authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, requiring agencies to patch by no later than May 19, 2025. Commvault is working closely with impacted customers and has published indicators of compromise (IoCs), including five (5) attacker IP addresses, urging users to block these, apply Conditional Access policies to Microsoft services, rotate secrets every 90 days, and closely monitor Azure sign-ins to detect any unauthorized access attempts. CTIX analysts urge alla dministrators to patch this vulnerability and follow the defensive guidance immediately to prevent future exploitation.

 

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with