Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On March 20, 2025, a Breach Forums user, “rose87168,” claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits. Breach Forums is a known marketplace for cybercriminals to trade stolen data and exploits.

On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software. The advisory did not provide technical details regarding the vulnerability, although it did mention that it could be exploited by authenticated domain users.

Arctic Wolf has recently observed a campaign in which threat actors are compromising widely used websites across various industries and embedding a fake CAPTCHA challenge. When victims visit the site, they are presented with the CAPTCHA challenge or redirected to a site that provides instructions, triggering PowerShell code execution and ultimately leading to the loading of information stealer malware.

During routine monitoring of the cyber threat landscape in Southeast Asia, the Arctic Wolf Labs team came across a relatively recent Indonesian-based hacktivist collective calling themselves “INDOHAXSEC” that has been active within this region.

With the rise of hybrid work and software-as-a-service (SaaS) applications for core business functions, as well as the near ubiquity of the cloud, organizations’ attack surfaces are no longer easily defined. In many cases, they are rapidly expanding. This presents both new opportunities for threat actors and new challenges for security teams, giving rise to a new tactic for security posture improvement — attack surface management.

Since its introduction into cybersecurity in the late 1980s as a tool for detecting unusual activity, artificial intelligence (AI) has grown in popularity and functionality, with a major surge of adoption happening in the past few years, thanks to its growing ability to perform tasks faster and more accurately than humans. However, AI has never operated in isolation; it has always relied on human input. And any advanced technology that requires human input can be used for both good and bad.

Ransomware-as-a-service is a business model where ransomware operators and third parties, called “affiliates,” work together to launch ransomware attacks. RaaS was first identified in 2012 with the Reveton ransomware strain, and in the subsequent decade it has exploded into a sophisticated and ever-evolving cybercrime tactic.

On March 4, 2025, Broadcom released patches for three zero-day vulnerabilities exploited in the wild, affecting ESXi, Workstation, and Fusion. These vulnerabilities, discovered by Microsoft, range in severity from high to critical. Details of the exploitation have not been revealed at this time, and Arctic Wolf has not identified a public Proof-of-Concept (PoC) exploit.

On or around February 25, 2025, a threat actor claiming to be associated with the BianLian ransomware group began using the United States Postal Service (USPS) to send physical ransom letters to executives, primarily within the US healthcare sector. Notably, when compared with historical BianLian communications and ransom notes, the physical ransom letters are drastically different in word usage and tone.

Arctic Wolf has recently observed a campaign targeting the healthcare sector, where victims visiting the widely used physical therapy video site HEP2go are redirected to a fake CAPTCHA webpage when they attempt to visit multiple parts of the website. This CAPTCHA provides instructions that trigger PowerShell code execution and the eventual loading of infostealer malware.