A financially motivated data extortion campaign, active since at least December 2024, is targeting high-end retailers and luxury commerce sectors. The campaign involves threat actors compromising Salesforce environments using social engineering .

Since late 2022, threat researchers from Unit 42 have tracked at least seven distinct strike teams associated with Muddled Libra. These teams are not static; personas frequently move between them, and their objectives and methods evolve over time.

Muddled Libra, also known as Scattered Spider, has evolved from a small group of cryptocurrency-focused attackers into a highly organized, modular cybercrime syndicate capable of enterprise-scale disruption.

The SLOW#TEMPEST campaign employs sophisticated obfuscation techniques such as dynamic jumps and obfuscated function calls to evade detection. CFG obfuscation disrupts the predictable execution flow, complicating both static and dynamic analysis.

Three critical vulnerabilities in Apache Tomcat (CVE-2025-24813) and Apache Camel (CVE-2025-27636, CVE-2025-29891) enable remote code execution (RCE), allowing attackers to hijack systems.

Hackers are increasingly leveraging LNK files to deliver malware, with malicious LNK samples rising from 21,098 in 2023 to 68,392 in 2024. They exploit the flexibility of LNKs to execute malicious payloads while masquerading as legitimate files.

Prometei has evolved significantly, with its Linux variant gaining prominence since December 2020. As of March 2025, researchers have observed a renewed wave of Prometei botnet activity targeting Linux servers.

Threat actors are increasingly leveraging Linux ELF (Executable and Linkable Format) malware to target cloud infrastructure, exploiting the widespread use of Linux in cloud environments.

A DNS misconfiguration in Azure OpenAI's domain resolution logic exposed a critical vulnerability that could have enabled cross-tenant data leaks and meddler-in-the-middle (MitM) attacks.