Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Infostealers Remain Prominent.

The Evolving Phishing Threat.

March 10, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: BLACK BASTA Affiliates Linked to CACTUS Ransomware Researchers have linked CACTUS ransomware tactics to former affiliates of BLACKBASTA, noting the use of similar tools and techniques. CACTUS employs the BackConnect (BC) module for persistent control over infected systems, allowing for data theft and remote command execution.

This week’s briefing covers: KTA080 (CL0P) Update KTA080 has released the names of the previously redacted victim organizations ranging from E-H. Additionally, KTA080 has identified 183 victims’ organization names broadly covering H-W. KTA374 (Salt Typhoon) Telecoms Targeting Update Cisco Talos has released further information on the targeting of telecoms organizations identified in late 2024. This information includes the high level of living-off-the-land techniques used by the threat actor.

February 24, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: KTA080 (CL0P) Update CL0P has again updated their data leak site with a new list of redacted victim organizations possibly linked to the Cleo vulnerability. The list contains company names beginning with the letters E-H. This follows the current pattern the group has established with releasing redacted names to then later slowly start releasing the actual entity and published data associated with it if the victim organization has not reached out to CL0P.

February 18, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: CL0P Update CL0P updated their data leak site with a new victim list of approximately 43 organizations. The organizations are likely from the previous redacted list containing company names from C-E and are possibly associated with the Cleo zero-day vulnerability.

This week’s briefing covers: CL0P Update CL0P has released an additional list of 50 possible Cleo victims. The list is similar to its previous tactics of redacting the company names before fully disclosing each organization. 7-Zip Mark-of-the-Web Bypass Vulnerability CVE-2025-0411 actively exploited in Ukraine.

This week’s briefing covers: KTA080 (CL0P) Update Around January 28, 2025, KTA080 (CL0P) updated its data leak site with a new victim list of approximately 49 organizations. The organizations are likely from the previous redacted list that was reported on listings and are possibly associated with the Cleo zero-day vulnerability, but cannot be confirmed since the group does not indicate it in their post.

This week’s briefing covers: CL0P Update The group’s post reads as follows, "DEAR COMPANIES THIS IS THE NEXT LIST WHICH WE HAVE CLOSED FOR THE TIME BEING AND DO NOT SHOW THE NAMES IN FULL IF YOU DO NOT GET IN TOUCH ASAP THE LIST WILL BE OPEN” and continues with the listed victim organizations and ways for the companies to contact the group.

This week’s briefing covers: Kroll Out of Band Published - FortiOS and FortiProxy Kroll Threat Intelligence has published an out of band report on CVE-2024-55591 affecting FortiOS and FortiProxy. The vulnerability has a CVSS score of 9.8 and has been exploited in the wild.