June 2, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jun 2, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

MATLAB dev confirms ransomware attack behind service outage
MathWorks, the developer of the popular MATLAB numeric computing platform and the Simulink simulation, has disclosed it suffered a ransomware attack beginning on May 18, 2025. The attack impacted online applications used by customers as well as internal staff systems.

Employees searching payroll portals on Google tricked into sending paychecks to fraud network
Reliaquest has reported a campaign using SEO poisoning techniques to target employee mobile devices and facilitate payroll fraud. First detected in May 2025, the attack uses deceptive pages impersonating the user's organization's login page, surfacing to the top of the results using sponsored links.

Fake Zenmap WinMRT sites target IT staff with BUMBLEBEE malware
Further SEO poisoning attacks have been discovered being used to distribute BUMBLEBEE malware. This time Zenmap, the graphical user interface (GUI) for the Nmap network scanning tool, and the WinMTR tracerout utility have been targeted with typosquatting domains to infect devices used by IT staff.

04:17 [VULNERABILITY] 'BadSuccessor' Flaw Affects Windows 2025 Servers, Enables Domain Compromise
Key Takeaways

  • A new vulnerability has been identified affecting Windows 2025 Servers when configured as a domain controller.
  • The flaw can be used to compromise any user in active directory (AD) allowing domain takeover or exfiltration of all AD credentials.
  • Microsoft has acknowledged the issue and plans to address it in a future update. No date for a fix has been provided.

07:31 [CAMPAIGN] Void Blizzard (KTA465) Cyber Espionage Against Critical Sectors
Key Takeaways

  • KTA465 is a Russian State-sponsored group also known as Void Blizzard, which overlaps with KTA007 (Forest Blizzard).
  • The TA was observed conducting phishing (Evlginx/QRcodes), infostealer malware, and cloud API abuse.
  • The group is targeting NATO governments, Ukrainian NGOs, IT/aviation sectors (esp. supply chains).
  • There is evidence of espionage on military aid, geopolitical intel and critical infrastructure.
  • KTA465’s tactics have evolved and shifted from password sprays last 2024 to sophisticated AitM phishing on Q2 of 2025.

09:14 [RANSOMWARE ROUNDUP] DRAGONFORCE Ransomware Compromises MSP
Sophos reports that DRAGONFORCE ransomware group compromised a managed service provider and abused SimpleHelp, a remote support and access tool, as a means of exfiltrating and encrypting data on the customers’ systems.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.