May 27, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
May 27, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

Joint Cybersecurity Advisory released on KTA007 (APT28)
A joint advisory has been released warning of Russian-attributed threat actors targeting western logistics entities and technology companies since 2022.

Microsoft leads global action to disrupt LUMMASTEALER
Microsoft’s Digital Crimes Unit has recently seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of LUMMASTEALER infrastructure.

02:29 [CAMPAIGN] KTA461 (AKA UNC5174) exploiting CVE-2025-31324 and CVE-2025-30406
Key Takeaways

  • Kroll observes actors associated with Chinese APT activity exploiting CVE-2025-31324 and CVE-2025-30406 to establish an initial foothold.
  • CVE-2025-30406 has not been widely associated with KTA461 activity.

04:23 [CAMPAIGN] BUMBLEBEE packaged with legitimate RVTools software
Key Takeaways

  • Recent campaigns have seen the legitimate RVTools used as a lure to deliver malware to victims.
  • In one case, the legitimate website appeared to have been altered to distribute a BUMBLEBEE DLL.
  • In other campaigns, domains masquerading as RVTools were registered, hosting cloned versions of the legitimate website.
  • RVTools is a popular utility that interacts with VMware so it is an attractive target for a supply chain attack for multiple actors.

06:37 [CAMPAIGN] Hazy Hawk's DNS Hijacking Campaign

  • Exploitation of abandoned DNS records to hijack trusted subdomains.
  • Monetization via scams and ad fraud
  • Evasion tactics like cloaked URLs and fake cloud resource names.
  • The group observed targeting governments, universities, and corporations.

08:55 [RANSOMWARE] VANHELSING Ransomware

  • A former developer attempted to sell VANHELSING RaaS source code on a cybercrime forum.
  • The group responded by releasing the code themselves, calling it outdated.
  • The leak included a functional Windows builder and backend components, though incomplete.
  • The code was disorganized and technically complex, requiring manual set up.
  • VANHELSING 2.0 is in development, with future work to be handled internally.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.