March 17, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Mar 17, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

KTA080 (CLOP) Update
CL0P has recently published files from victim organizations that were last revealed from the E-H listing around February 24, 2025. Some victim organizations were removed from the E-H listing as well as the H-W listing, likely due to negotiations with the threat actor group to refrain from sensitive data to be published. Additional victim companies have also been published outside of the E-H listing.

Apple Releases Patch for WebKit Zero-Day Vulnerability - (CVE-2025-24201)
Apple patched a critical zero-day vulnerability tracked as CVE-2025-24201 affecting nearly all supported iPhone and iPad models, including the iPhone XS and later, and various iPad Pro, Air and Mini models.

KTA071 (Lazarus) Supply Chain Campaign Targets npm Repos
KTA071 (Lazarus Group) has infiltrated the npm ecosystem, deploying six malicious packages: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency and auth-validator. These malicious packages aim to compromise developer environments, steal credentials and extract cryptocurrency data.

Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)
A critical argument-injection vulnerability tracked as CVE-2024-4577 with a CVS Score of 9.8 affecting all PHP installations on Windows has come under widespread exploitation in multiple countries, including the U.S., U.K., Japan, Singapore and Germany.

4:12 [PATCHING] Microsoft Patch Tuesday Addresses 72 Issues, 6 Zero-Days
Microsoft has fixed 72 vulnerabilities in March’s patch cycle and Microsoft Edge releases.

8:45 [CAMPAIGN] KTA410 (AKA Blind Eagle) Use Packer-as-a-Service in Phishing Campaign
Check Point Research detailed a campaign orchestrated by KTA410 (AKA Blind Eagle) a group that performs both cybercrime and espionage. They note that the group has expanded its toolset to utilize the packer-as-a-service HEARTCRYPT to package the loader PURELOADER ultimately to deploy REMCOS remote access tool.

10:17 [CAMPAIGN] GrassCall Campaign: Job Recruitment Cyber Scam Targeting Crypto Wallets
Key Takeaways

  • Russian threat actor distributed malware via a fake meeting app called GrassCall to drain crypto wallets
  • The sophisticated social engineering campaign is linked to cybercrime group Crazy Evil
  • The group targeted victims via realistic, fake job postings on social media and Web3 job boards
  • The campaign has been terminated since being exposed but the emergence of rebranded malware with the same characteristics indicated a continued threat

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.