Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

March 24, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: KTA134 (BLACKBASTA) Chats Suggests Help From Russian Officials Upon review of leaked chat logs, it appears that KTA248 (Oleg Nefedov, GG, Tramp, Kurva) was able to evade trial by eliciting the help of Russian government officials. Supply Chain Attack Leaks Secrets from GitHub A supply chain attack on the popular GitHub Action tj-actions/changed-files caused many repositories to leak their secrets over the weekend.

This week’s briefing covers: KTA080 (CLOP) Update CL0P has recently published files from victim organizations that were last revealed from the E-H listing around February 24, 2025. Some victim organizations were removed from the E-H listing as well as the H-W listing, likely due to negotiations with the threat actor group to refrain from sensitive data to be published. Additional victim companies have also been published outside of the E-H listing.

Infostealers Remain Prominent.

The Evolving Phishing Threat.

March 10, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: BLACK BASTA Affiliates Linked to CACTUS Ransomware Researchers have linked CACTUS ransomware tactics to former affiliates of BLACKBASTA, noting the use of similar tools and techniques. CACTUS employs the BackConnect (BC) module for persistent control over infected systems, allowing for data theft and remote command execution.

This week’s briefing covers: KTA080 (CL0P) Update KTA080 has released the names of the previously redacted victim organizations ranging from E-H. Additionally, KTA080 has identified 183 victims’ organization names broadly covering H-W. KTA374 (Salt Typhoon) Telecoms Targeting Update Cisco Talos has released further information on the targeting of telecoms organizations identified in late 2024. This information includes the high level of living-off-the-land techniques used by the threat actor.

February 24, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: KTA080 (CL0P) Update CL0P has again updated their data leak site with a new list of redacted victim organizations possibly linked to the Cleo vulnerability. The list contains company names beginning with the letters E-H. This follows the current pattern the group has established with releasing redacted names to then later slowly start releasing the actual entity and published data associated with it if the victim organization has not reached out to CL0P.

February 18, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: CL0P Update CL0P updated their data leak site with a new victim list of approximately 43 organizations. The organizations are likely from the previous redacted list containing company names from C-E and are possibly associated with the Cleo zero-day vulnerability.

This week’s briefing covers: CL0P Update CL0P has released an additional list of 50 possible Cleo victims. The list is similar to its previous tactics of redacting the company names before fully disclosing each organization. 7-Zip Mark-of-the-Web Bypass Vulnerability CVE-2025-0411 actively exploited in Ukraine.

This week’s briefing covers: KTA080 (CL0P) Update Around January 28, 2025, KTA080 (CL0P) updated its data leak site with a new victim list of approximately 49 organizations. The organizations are likely from the previous redacted list that was reported on listings and are possibly associated with the Cleo zero-day vulnerability, but cannot be confirmed since the group does not indicate it in their post.