Malware Activity
How Malicious Actors Exploit Common Tools for Stealthy Attacks
Cybercriminals and state-sponsored hackers are increasingly leveraging everyday tools like web browsers and Google Calendar to bypass traditional security measures. Recent reports reveal that sophisticated threat actors are executing Browser-in-the-Middle attacks to intercept browser communications, effectively stealing sensitive data. Simultaneously, APT41 has been observed abusing Google Calendar for covert command-and-control (C2) activities, enabling them to communicate with infected systems undetected. These tactics highlight a troubling shift towards using legitimate platforms and browser vulnerabilities to conduct espionage and data theft. Further emphasizing the need for organizations to bolster their defenses against such innovative cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: How Browser in Middle Attacks Steal Sessions article
- BleepingComputer: Apt41 Malware Abuses Google Calendar for Stealthy C2 Communication article
- TheHackerNews: Chinese Apt41 Exploits Google Calendar article
Threat Actor Activity
Newly Discovered Russian Cyberspies Linked to 2024 Dutch Police Hack and Other “Worldwide Cloud Abuse”
Void Blizzard, also known as Laundry Bear, is a Russian-affiliated cyberespionage group active since April 2024. It targets organizations aligned with Russian strategic interests, focusing on sectors such as government, defense, transportation, media, NGOs, and healthcare in Europe and North America. The group's operations are characterized by opportunistic, high-volume attacks aimed at collecting intelligence, particularly from NATO member states and Ukraine. Void Blizzard employs unsophisticated techniques like password spraying and stolen authentication credentials, often acquired from online marketplaces. They leverage these methods to access systems such as Exchange and SharePoint Online, where they harvest large amounts of emails and files. Additionally, the group uses tools like AzureHound to gather detailed information about compromised organizations' Microsoft Entra ID configurations. Recent activities include shifting to direct methods for stealing passwords, such as spear-phishing emails with adversary-in-the-middle (AitM) landing pages. These emails impersonate legitimate entities, using typosquatted domains to deceive victims and capture login information. The group has targeted over twenty (20) NGOs in Europe and the US, with phishing pages hosted on domains like "micsrosoftonline[.]com." Void Blizzard's actions overlap with other Russian state actors, such as Forest Blizzard, Midnight Blizzard, and Secret Blizzard, indicating shared espionage objectives. In September 2024, they breached a Dutch police employee account using a pass-the-cookie attack, obtaining work-related contact information. The Netherlands Defence Intelligence and Security Service (MIVD) linked this breach to Void Blizzard and warned of potential targeting of other Dutch organizations. The group's focus includes gathering information on military equipment purchases and Western weapon supplies to Ukraine. Void Blizzard's ongoing activities pose significant risks to critical sectors in NATO member states.
- Bleeping Computer: Laundry Bear Article
- The Hacker News: Void Blizzard Article
- The Record: Laundry Bear Article
Vulnerabilities
DragonForce Ransomware Group Exploits Critical Vulnerabilities in SimpleHelp to Steal Data
The DragonForce ransomware operation has rapidly emerged as a significant threat actor by exploiting three (3) critical vulnerabilities in the SimpleHelp remote monitoring and management (RMM) platform (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to breach a Managed Service Provider (MSP) and launch downstream attacks on its customers. Sophos, which investigated the incident, found that DragonForce leveraged the MSP’s legitimate SimpleHelp infrastructure to perform reconnaissance, exfiltrate data, and deploy ransomware encryptors, resulting in double-extortion attacks. While one client successfully blocked the intrusion, others experienced a widespread impact, with stolen data and encrypted systems. This attack highlights the increasing threat posed by ransomware groups targeting MSP supply chains to achieve broad reach. DragonForce, already notorious for recent high-profile attacks on UK retailers such as Marks & Spencer and Co-op, is positioning itself as a ransomware “cartel” by offering a white-label ransomware-as-a-service (RaaS) model, enabling affiliates to rebrand its encryptor. The group’s rise has coincided with a volatile ransomware ecosystem marked by turf wars, the collapse and partial resurgence of LockBit, and growing collaboration with other cybercriminal factions like Scattered Spider, which may act as access brokers. These developments signal a shift toward more decentralized, affiliate-driven ransomware operations that increasingly leverage social engineering tactics, remote access tools, and AI to sustain stealthy, scalable attacks. CTIX analysts will continue to report on the exploitation of vulnerabilities by threat actors in the future.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
