May 19, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
May 19, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

Coinbase Insider Threat Leads to Theft of Customer Data
Coinbase has released a blog post and filed an SEC Form 8-K reporting an incident whereby they received an email attempting to extort the company for $20m. According to the post, the threat actors approached customer support staff and “used cash offers to convince a small group of insiders to copy data in our customer support tools”. Stolen data includes personal details including identity documents and account data include balance and transaction history.

01:58 [GEOPOLITICAL ACTIVITY] Pakistan-Linked Actors SIDECOPY (KTA460) Expand Targets in India with CURLBAK RAT
Key Takeaways

  • A new remote access trojan, CURLBACK RAT, has been identified in recent attacks, capable of deep system reconnaissance and command execution.
  • Indian sectors such as railways, oil and gas and external affairs have been newly targeted, reflecting a strategic expansion beyond defense.
  • Attackers have moved to using Microsoft Installer (MSI) files instead of HTAs for staging attacks, indicating a shift toward more evasive techniques.
  • Multiple RATs, including SPARK RAT and XENO RAT, are being deployed across Windows and Linux systems.
  • The attackers use phishing emails with themed decoy documents, including fake holiday lists and security notices.

03:57 [PATCHING] Microsoft Patch Tuesday Addresses 85 Issues, Five Zero-Days
Microsoft has fixed 85 vulnerabilities in May’s patch cycle and Microsoft Edge releases.
The patches address:

  • Elevation of Privilege Vulnerabilities: 20
  • Security Feature Bypass Vulnerabilities: 2
  • Remote Code Execution Vulnerabilities: 29
  • Information Disclosure Vulnerabilities: 16
  • Denial of Service Vulnerabilities: 7
  • Spoofing Vulnerabilities: 3
  • Edge - Chromium Vulnerabilities: 6

07:00 Critical FortiNet Vulnerability Exploited in the Wild
A stack-based overflow vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
Fortinet states in their advisory that this vulnerability has been exploited against FortiVoice.

08:42 Two Zero Day Ivanti Vulnerabilities Exploited in the Wild
Ivanti has released patches for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability. When chained together, successful exploitation could lead to unauthenticated remote code execution.

10:28 Second Zero-Day Vulnerability Identified in SAP NetWeaver
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity and availability of the host system. This exploitation technically requires the VisualComposerUser role.

12:32 [RANSOMWARE ROUNDUP] DoppelPaymer Arrest
Key Takeaways

  • A 45-year-old foreign national was arrested in Moldova for suspected involvement in DoppelPaymer ransomware attacks. The arrest was supported by Dutch law enforcement.
  • Authorities confiscated laptops, mobile devices, storage media, bank cards, an electronic wallet and EUR 84,800 (USD 94,000) in cash.
  • The suspect is linked to a 2021 ransomware attack on the Dutch Research Council (NWO), which resulted in EUR4.5 million (USD 5 million) in damages. NWO did not pay the ransom, and the attackers published stolen files online.
  • DoppelPaymer is a variant of BitPaymer ransomware which has been used in attacks on critical infrastructure, healthcare, and education sectors.
  • In 2023, coordinated operations by Germany, Ukraine, the FBI, Europol and Dutch authorities targeted the DoppelPaymer group. Eleven individuals were identified, with some detained.
  • Three key suspects—Igor Turashev, Irina Zemlianikina and Igor Garshin—remain at large in Russia.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.