March 10, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Mar 10, 2025
Kroll

March 10, 2025 Cyber Threat Intelligence Briefing

This week’s briefing covers:

00:00 - Intro and Situational Awareness

BLACK BASTA Affiliates Linked to CACTUS Ransomware
Researchers have linked CACTUS ransomware tactics to former affiliates of BLACKBASTA, noting the use of similar tools and techniques. CACTUS employs the BackConnect (BC) module for persistent control over infected systems, allowing for data theft and remote command execution.

Fake CAPTCHAs, Malicious PDFs, SEO Traps Leveraged for User Manual Searches
On February 12, 2025, researchers reported a widespread phishing campaign using SEO poisoning and fake CAPTCHA images via Webflow CDN to target victims searching for PDF documents on search engines.

HTTP Client Tools Exploitation for Account Takeover Attacks
On January 30, 2025, researchers at Proofpoint released the findings of an investigation into the use of legitimate HTTP client tools to compromise Microsoft 365 environments. They found that 78% of Microsoft 365 tenants were targeted at least once by an account takeover attempt utilizing this method, a 7% increase from the prior six months.

4:14 [CAMPAIGN] Growing Scale of DPRK IT Worker Fraud Scheme
Key Takeaways

  • Further indicators have been reported for the widespread campaign involving North Korean nationals posing as IT workers to raise money for the Democratic People’s Republic of Korea.
  • The risks highlighted here emphasize the continued need for thorough vetting and security measures for remote workers, particularly in IT positions.

7:37 [VULNERABILITY] Multiple Vulnerabilities in VMWare Products
Broadcom has released patches for three VMWare hypervisor vulnerabilities that have been added to the CISA known exploited vulnerability catalogue.

9:39 [MALWARE] FRIGIDSTEALER: New macOS Threat Delivered via Web Injects

  • Proofpoint identified a new macOS malware, FRIGIDSTEALER, delivered via web inject campaigns and operated by cybercriminal group KTA420 (TA2727).
  • KTA419 (TA2726) and KTA420 (TA2727) have emerged as key actors in the web inject landscape, contributing to a growing number of copycat campaigns that complicate threat tracking.
  • The web inject attack chain consists of three main components: malicious JavaScript injects, traffic distribution services (TDS) and the ultimate malware payload.
  • KTA420 (TA2727) was observed using fake update-themed lures to distribute FRIGIDSTEALER, a macOS information stealer designed to exfiltrate browser cookies, sensitive files and Apple Notes.
  • Web-based malware campaigns increasingly include macOS-specific payloads, reflecting a broader shift in targeting strategies.

12:11 – Ransomware Roundup
BIANLIAN Physical Letters
Kroll has observed recent activity in which various organizations received mailed ransom notes from "BianLian Group," demanding payment in Bitcoin. The letters contained very similar language and payment amounts varied from $150,000-$500,000 for each organization.

KTA421 (OX THIEFS)
KTA421, also known as OX THIEFS, likely emerged around March 2024 with the creation of their informed and detailed data leak site. The group has various sections on their site to provide victims in-depth information such as liability, cases and potential losses.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.