Go to listing page

Daily Cybersecurity Roundup, May 01, 2025

Bots gone bad. A fresh ransomware operation is riding the automation wave by using the Phorpiex botnet to silently deliver and execute LockBit ransomware without breaking a sweat. Meanwhile, a China-aligned APT group known as TheWizards is abusing an IPv6 feature and deploying its own malware, Spellbinder, to hijack Windows software updates. The FBI has pulled back the curtain on LabHost, a PhaaS platform tied to over 42,000 malicious domains, enabling criminals to mimic 200+ real organizations and fleece millions of unsuspecting victims. Check out the hottest cybersecurity stories making waves today.



01

A new ransomware campaign has been identified leveraging the Phorpiex botnet to automate the delivery and execution of LockBit ransomware.

02

China-aligned APT group TheWizards has been exploiting an IPv6 networking feature and using a custom tool called Spellbinder to hijack software updates to install malware on Windows systems.

03

Cybercrime group Hive0117 is targeting Russian firms in a phishing campaign delivering a new variant of DarkWatchman malware for espionage and data theft.

04

Researchers are warning against Nebulous Mantis, a Russian-speaking cyberespionage group that uses RomCom RAT and Hancitor to target critical infrastructure, governments, and NATO-linked entities.

05

A sophisticated sideloading campaign, that began in East Asia and later targeted Sweden, has been found using Minhook DLL for API hooking, compromised digital signatures, and Cobalt Strike payloads.

06

FBI has uncovered 42,000 phishing domains linked to the LabHost PhaaS platform that has facilitated cybercriminals in impersonating over 200 legitimate organizations to steal personal and financial data from millions of victims worldwide.

07

Microsoft has disclosed a vulnerability in its Telnet Server component that allows attackers to bypass guest login restrictions, leading to unauthorized access and privilege escalation on Windows systems.

08

SonicWall has warned of active exploitation of vulnerabilities CVE-2023-44221 and CVE-2024-38475 in its SMA appliances, which allow unauthorized access and RCE, urging users to apply recent firmware patches.

09

Apache ActiveMQ has a critical vulnerability in its .NET Message Service (NMS) library, identified as CVE-2025-29953, which allows unauthenticated RCE via deserialization of untrusted data.

10

Persona, an AI-driven ID verification startup has raised $200 million in Series D funding round led by Founders Fund and Ribbit Capital, with backing from Bond, Coatue, and Index Ventures.

Get the Daily Cybersecurity Roundup delivered to your email!