A newly uncovered espionage campaign by the Billbug group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) targeted multiple Southeast Asian organizations between August 2024 and February 2025.

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.

Threat actors using tools of Chinese APT groups targeted multiple high-profile organizations in Southeast Asia, including government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet.

A large U.S. organization with a significant presence in China was the subject of a targeted attack earlier this year, during which the attackers obtained a persistent presence on its network, seemingly for the purpose of intelligence gathering.

Stonefly (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) initially focused on DDoS attacks but has shifted to espionage and financially motivated attacks, resulting in the indictment of an alleged member for extorting U.S. healthcare firms.

Hackers have been using a PHP vulnerability to deploy a stealthy backdoor called Msupedge. This backdoor was recently used in a cyberattack against an unnamed university in Taiwan.

The Alpha ransomware operation appears to be linked to the previously inactive NetWalker ransomware, suggesting a potential revival or acquisition of the original payload.

Seedworm (aka Muddywater) continues to use a combination of living-off-the-land and publicly available tools, but has also developed its own custom tools, such as a custom build of Venom Proxy and a custom keylogger.

The attackers made use of legitimate tools like Plink to configure port-forwarding rules, enabling remote access via the Remote Desktop Protocol (RDP), and modified Windows firewall rules to facilitate their activities.

Grayling employs a combination of custom malware and publicly available tools like Havoc, Cobalt Strike, and NetSpy to carry out its attacks, using DLL sideloading techniques and exploiting vulnerabilities like CVE-2019-0803.