This week’s briefing covers:

00:00 - Intro and Situational Awareness

KTA080 (CL0P) Update
KTA080 has released the names of the previously redacted victim organizations ranging from E-H. Additionally, KTA080 has identified 183 victims’ organization names broadly covering H-W.

KTA374 (Salt Typhoon) Telecoms Targeting Update
Cisco Talos has released further information on the targeting of telecoms organizations identified in late 2024. This information includes the high level of living-off-the-land techniques used by the threat actor.

Attackers Steal Record $1.46 billion From Bybit ETH Cold Wallet
On 21st February 2025, cryptocurrency exchange Bybit disclosed the theft of more than $1.46 billion worth of cryptocurrency from one of its cold wallets in the largest cryptocurrency hack ever, almost doubling the $620 million stolen from Sky Mavis in March 2022.

3:01 [CAMPAIGN] KTA071 (Lazarus) Attack on Bybit
Key Takeaways

• KTA071 (Lazarus) was attributed to stealing approximately $1.5 billion worth of Etherum from Bybit
• The attack started from third party infrastructure, Safe{Wallet} who manages the smart contract system.
• Malicious JavaScript was used to manipulate a transaction, causing the currency to be sent to an adversary-controlled address.

6:03 [CAMPAIGN] KTA405 (Silver Fox) Targets Medical Software in Malware Campaign
Key Takeaways

• KTA405 disguised malware as medical software.
• The execution of the disguised malware triggers a multistage infection chain leading to VALLEYRAT.
• The malware adds several directories to Microsoft Denfender exclusions lists.
• The malware attempts to terminate security software using TrueSightKiller.

8:05 [RANSOMWARE] KTA134 (AKA BLACKBASTA) Chat Logs Leaked

• A 50MB trove of internal Matrix team chat logs of the BLACKBASTA ransomware group have been leaked online.
• The group's members are exposed, including the alleged leader, Tramp, and several other key figures.
• Infrastructure, tooling and financial operations are also detailed, exposing the internal workings of the group.
• Internal discord is evident from the communications amid an exodus of key figures and operational failures.
• Highly skilled operators from the group are likely to significantly increase the technical capabilities of other ransomware operators as they acquire former members.

Ransomware Roundup

12:39 – LOCKBIT’s Message to the FBI
On February 25, 2025, LOCKBIT created a post on its Telegram channel and data leak site to specifically address Kash Patel, director of the Federal Bureau of Investigation (FBI).

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats