March 24, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Mar 24, 2025
Kroll

March 24, 2025 Cyber Threat Intelligence Briefing

This week’s briefing covers:

00:00 - Intro and Situational Awareness

KTA134 (BLACKBASTA) Chats Suggests Help From Russian Officials
Upon review of leaked chat logs, it appears that KTA248 (Oleg Nefedov, GG, Tramp, Kurva) was able to evade trial by eliciting the help of Russian government officials.

Supply Chain Attack Leaks Secrets from GitHub
A supply chain attack on the popular GitHub Action tj-actions/changed-files caused many repositories to leak their secrets over the weekend.

2:43 [THREAT ACTOR SPOTLIGHT] KTA427 (EncryptHub)
Microsoft has fixed 72 vulnerabilities in March’s patch cycle and Microsoft Edge releases.
Key Takeaways

  • KTA427, also known as EncryptHub or Larva-208, is a financially motivated threat actor which has been active since mid-2024.
  • The group has proven capable of developing and deploying zero-day vulnerabilities in Windows systems.
  • The group operates its own malware, dubbed FICKLE, as well as a suite of other PowerShell tools and information stealers.
  • It has been known to deploy their own PowerShell-based ransomware tool, in addition to RANSOMHUB and BLACKSUIT.

7:20 [VULNERABILITY] Critical Vulnerability Affecting Multiple Versions of Apache Tomcat: CVE-2025-24813
A critical vulnerability identified as CVE-2025-24813 with a CVSS score of 9.8 was disclosed, affecting multiple versions of Apache Tomcat. This vulnerability allows remote attackers to execute arbitrary commands on the affected server, potentially leading to full system compromise.

10:03 [MALWARE SPOTLIGHT] STILACHIRAT
Microsoft detailed a new Malware, named STILACHIRAT, that appears to have most of its functionality distributed as a DLL file. The DLL File was named WWStartupCtrl64.dll in the campaign Microsoft observed.

12:16 [RANSOMWARE] Ransomware Roundup
CL0P Fake Extortion Letters
Continuing the trend of scam ransomware and extortion letters from the recent “BIANLIAN Group” campaign, a new set of threat actors are now behind CL0P extortion letters. Researchers recently identified extortion emails that contained similar language from the ransomware group and claimed to have exploited the Cleo vulnerability that allowed them to download and exfiltrate data.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.