The CyberWire Daily Briefing.
"Law enforcement disrupts initial access malware strains."
Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents. Accessed on 24 May 2025, 1331 UTC.
Content and Source: "The CyberWire Daily Briefing."
https://thecyberwire.com/newsletters/daily-briefing/14/99
Please check URL or scroll down to read your selections. Thanks for joining us today.
Russ Roberts (https://www.hawaiicybersecurityjournal.net).
Daily Briefing for 05.23.25
Announcement
What security leaders are missing in their IR plans.
Digital forensics is shifting from reactive to strategic. Join CyberWire Daily host Dave Bittner on Wednesday, June 11 at 1:00pm ET for a live discussion with experts from Magnet Forensics on key insights from the State of Enterprise DFIR Report. Learn how top teams are evolving their tools, workflows, and talent to reduce risk and respond faster to complex incidents. Register now to join live or access it on-demand.
Summary
Digital forensics is shifting from reactive to strategic. Join CyberWire Daily host Dave Bittner on Wednesday, June 11 at 1:00pm ET for a live discussion with experts from Magnet Forensics on key insights from the State of Enterprise DFIR Report. Learn how top teams are evolving their tools, workflows, and talent to reduce risk and respond faster to complex incidents. Register now to join live or access it on-demand.
At a glance.
- Law enforcement disrupts initial access malware strains.
- US Justice Department indicts alleged leader of the Qakbot malware operation.
- Chinese threat actor exploits recently patched Ivanti flaws.
- Law enforcement disrupts initial access malware strains.
- US Justice Department indicts alleged leader of the Qakbot malware operation.
- Chinese threat actor exploits recently patched Ivanti flaws.
Law enforcement disrupts initial access malware strains.
An international law enforcement operation coordinated by Europol and Eurojust has dismantled infrastructure used by popular initial access malware strains. The operation targeted Qakbot, Trickbot, Bumblebee, Lactrodectus, Hijackloader, DanaBot, and Warmcookie. Europol notes that these malware strains are frequently used to stage ransomware: "From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
An international law enforcement operation coordinated by Europol and Eurojust has dismantled infrastructure used by popular initial access malware strains. The operation targeted Qakbot, Trickbot, Bumblebee, Lactrodectus, Hijackloader, DanaBot, and Warmcookie. Europol notes that these malware strains are frequently used to stage ransomware: "From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
US Justice Department indicts alleged leader of the Qakbot malware operation.
The US Justice Department has indicted a 48-year-old Russian national, Rustam Rafailevich Gallyamov, as the alleged leader of a group of criminals who developed and deployed the Qakbot malware. The DOJ said in a press release, "Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or 'botnet,' of infected computers. As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims."
After the Qakbot botnet was shuttered by law enforcement in 2023, Gallyamov allegedly began using social engineering attacks to gain initial access to organizations before deploying ransomware.
The Justice Department has also filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov.
The US Justice Department has indicted a 48-year-old Russian national, Rustam Rafailevich Gallyamov, as the alleged leader of a group of criminals who developed and deployed the Qakbot malware. The DOJ said in a press release, "Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or 'botnet,' of infected computers. As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims."
After the Qakbot botnet was shuttered by law enforcement in 2023, Gallyamov allegedly began using social engineering attacks to gain initial access to organizations before deploying ransomware.
The Justice Department has also filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov.
Chinese threat actor exploits recently patched Ivanti flaws.
EclecticIQ warns that a Chinese cyberespionage actor tracked as "UNC5221" is exploiting a recently patched vulnerability chain (CVE-2025-4427 and CVE-2025-4428) affecting Ivanti Endpoint Manager Mobile (EPMM). Ivanti patched the two vulnerabilities last week, noting that the flaws were under active exploitation at the time of disclosure. The two flaws can be chained together to achieve unauthenticated remote code execution.
EclecticIQ notes that the threat actor has used the exploit to target entities in "healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region."
EclecticIQ warns that a Chinese cyberespionage actor tracked as "UNC5221" is exploiting a recently patched vulnerability chain (CVE-2025-4427 and CVE-2025-4428) affecting Ivanti Endpoint Manager Mobile (EPMM). Ivanti patched the two vulnerabilities last week, noting that the flaws were under active exploitation at the time of disclosure. The two flaws can be chained together to achieve unauthenticated remote code execution.
EclecticIQ notes that the threat actor has used the exploit to target entities in "healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region."
Notes.
Today's issue includes events affecting China, Russia, and the United States.
Sponsored EventsOn-demand webinar: Trends in Identity Attack Path Management. (Virtual, May 19 - Jun 30, 2025) Watch the recording: SpecterOps hosted an in-depth discussion around all things Attack Path Management and Identity Security where results from a global survey asking more than 500 IT decision-makers about their Identity security practices were presented.Webinar: Five must-know trends in cloud security for 2025 Event description: 268 characters max (Virtual, Jun 5, 2025) The cloud threat landscape is shifting rapidly—and staying ahead has never been more critical. In this Amazon Web Services (AWS) webinar, Dave Shackleford of SANS Institute explores five key developments shaping cloud cybersecurity in 2025. Register now.Webinar: DFIR blind spot – what security leaders are missing in their IR (Virtual, Jun 11, 2025) Digital forensics is now a proactive pillar of cyber resilience. Join Magnet Forensics on June 11 at 1:00 p.m. ET as we unpack findings from the State of Enterprise DFIR Report and explore how teams are evolving their tools and tactics to stay ahead of threats.Selected Reading
Today's issue includes events affecting China, Russia, and the United States.
Attacks, Threats, and Vulnerabilities
Following the spiders: Investigating Lactrodectus malware (Expel) Lactrodectus malware is the latest infostealing malware on the market utilizing the Click-Fix technique. Here's what you need to know.
Mysterious hacking group Careto was run by the Spanish government, sources say (TechCrunch) The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
60 malicious npm packages caught mapping developer networks (Developer Tech News) The npm registry is once again in the spotlight, this time battling a malware campaign using malicious packages to map developer networks.
Chinese-speaking hackers targeting US municipalities with Cityworks bug (The Record) Since January, cybersecurity experts have seen Chinese-speaking hackers exploiting a bug impacting a tool used by local governments to manage critical infrastructure assets and other services.
Following the spiders: Investigating Lactrodectus malware (Expel) Lactrodectus malware is the latest infostealing malware on the market utilizing the Click-Fix technique. Here's what you need to know.
Mysterious hacking group Careto was run by the Spanish government, sources say (TechCrunch) The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
60 malicious npm packages caught mapping developer networks (Developer Tech News) The npm registry is once again in the spotlight, this time battling a malware campaign using malicious packages to map developer networks.
Chinese-speaking hackers targeting US municipalities with Cityworks bug (The Record) Since January, cybersecurity experts have seen Chinese-speaking hackers exploiting a bug impacting a tool used by local governments to manage critical infrastructure assets and other services.
Litigation, Investigation, and Law Enforcement
Grandpa-conning crook jailed over sugar-coated drug scam (The Register) : Callous fraudster tricked elderly gents into smuggling meth hidden in chocolate truffles
New Google program targeting children with AI chatbot may violate FTC privacy rules (The Record) Children with parent-controlled Google accounts will automatically be able to access the AI-powered Gemini chatbot unless a parent opts out.
Industry EventsFor a complete running list of events, please visit the Event Tracker.
Grandpa-conning crook jailed over sugar-coated drug scam (The Register) : Callous fraudster tricked elderly gents into smuggling meth hidden in chocolate truffles
New Google program targeting children with AI chatbot may violate FTC privacy rules (The Record) Children with parent-controlled Google accounts will automatically be able to access the AI-powered Gemini chatbot unless a parent opts out.
For a complete running list of events, please visit the Event Tracker.
Events
CyberWiseCon Europe 2025 (Vilnius and virtual, Lithuania, May 21 - 23, 2025) CyberWiseCon is a premier IT security conference that brings together cybersecurity experts, industry leaders, and IT professionals from around the Europe.
NICE Conference (Denver, Colorado, USA, Jun 1 - 4, 2025) The NICE Conference is the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. This event provides an opportunity to share best practices from around the world and across sectors in order to build the workforce we need to confront cybersecurity risks today and in years to come.
2025 Space Regulatory Bootcamp (Albuquerque and Virtual, New Mexico, USA, Jun 10 - 11, 2025) ACSP's Bootcamps educate new and established space professionals on must-know fundamentals and arm them for success. The 2025 Space Regulatory Bootcamp, hosted in Albuquerque, New Mexico, is a two day comprehensive industry deep dive with advanced training and meaningful networking. Learn directly from leading subject matter experts on topics including space law, export controls, space telecommunications, government contracting, and more.
AWS re:Inforce 2025 (Philadelphia, Pennsylvania, USA, Jun 16 - 18, 2025) AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. You’ll leave with actionable next steps to raise your security posture.
Sponsor & SupportGrow your brand, generate leads, and fill your funnel.With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
CyberWiseCon Europe 2025 (Vilnius and virtual, Lithuania, May 21 - 23, 2025) CyberWiseCon is a premier IT security conference that brings together cybersecurity experts, industry leaders, and IT professionals from around the Europe.
NICE Conference (Denver, Colorado, USA, Jun 1 - 4, 2025) The NICE Conference is the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. This event provides an opportunity to share best practices from around the world and across sectors in order to build the workforce we need to confront cybersecurity risks today and in years to come.
2025 Space Regulatory Bootcamp (Albuquerque and Virtual, New Mexico, USA, Jun 10 - 11, 2025) ACSP's Bootcamps educate new and established space professionals on must-know fundamentals and arm them for success. The 2025 Space Regulatory Bootcamp, hosted in Albuquerque, New Mexico, is a two day comprehensive industry deep dive with advanced training and meaningful networking. Learn directly from leading subject matter experts on topics including space law, export controls, space telecommunications, government contracting, and more.
AWS re:Inforce 2025 (Philadelphia, Pennsylvania, USA, Jun 16 - 18, 2025) AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. You’ll leave with actionable next steps to raise your security posture.
Comments
Post a Comment
Please leave a comment about our recent post.