Zero‑Day Waves & Morphing Lures
When exploits outpace fixes and lures evolve in real time
As April unfolds, the cyber‑threat landscape has shifted into overdrive. In Q1 2025, defenders saw 159 CVEs exploited in the wild—28.3 percent within 24 hours of disclosure—underscoring how rapidly zero‑days can become weaponized.
159 Known Exploited Vulnerabilities (KEVs) were publicly disclosed in Q1-2025
25.8% of KEVs are still awaiting or undergoing analysis by NIST NVD
A CVSS 10 vulnerability now sits side by side with multi‑vector phishing campaigns that morph DNS records and masquerade as “can't‑miss” event invites. Meanwhile, state‑aligned actors are embedding stealthy loaders into everything from middleware to network protocols. In this issue, we unpack these emerging attack vectors and outline the layered defenses required to stay one step ahead.
APT29, the Russian-linked cyber espionage group, is back with a new campaign targeting European diplomatic entities. Employing a new backdoor called GRAPELOADER, is delivered through sophisticated phishing tactics.
Cyber Espionage Served to EU Diplomats at Wine-Tasting Event
The campaign uses lures centered around seemingly innocuous wine-tasting events, enticing targets, including non-European countries' embassies in Europe, to click on malicious links. These links then lead to the deployment of GRAPELOADER.
APT29, also known as Midnight Blizzard or Cozy Bear, has a long history of targeting high-profile organizations, including government agencies and think tanks. Their operations are characterized by a wide range of techniques, from targeted phishing to large-scale supply chain attacks, and they utilize both custom and commercial malware. The group is also linked to the infamous SolarWinds supply chain attack.
This latest campaign reveals a concerning evolution in APT29's tactics. Researchers have also uncovered a new variant of their existing WINELOADER malware. The compilation timestamp and similarities to GRAPELOADER suggest this new WINELOADER version is likely used in a later stage of the attack chain.
Significantly, GRAPELOADER represents a step up in sophistication. It replaces the older "RootSaw" HTA loader, demonstrating a shift towards stealthier and more advanced techniques. While the older WINELOADER used function inlining for string decryption and lacked strict memory cleanup, the new variant, like GRAPELOADER, employs a more robust approach:
🔴It retrieves an encrypted byte blob.
🔴It decrypts this blob using the RC4 algorithm.
🔴It immediately zeroes out the decrypted memory after use, enhancing security and making analysis more difficult.
APT29's tactics and toolset are constantly evolving, becoming increasingly stealthy and sophisticated. This necessitates a multi-layered defense strategy and heightened vigilance to effectively detect and thwart their attacks.
As tax season looms, a surge of phishing campaigns is exploiting the urgency and anxiety surrounding filing deadlines to steal credentials and deploy a barrage of malware. These attacks, leveraging a mix of social engineering tactics and sophisticated delivery methods, paint a picture of threat actors capitalizing on a predictable annual vulnerability.
The campaigns employ a variety of lures, including PDFs, QR codes, and fake DocuSign pages, all designed to trick victims into divulging sensitive information or downloading malicious payloads. The resulting infections deliver a range of malware, from credential-stealing tools like Latrodectus and Brute Ratel to remote access trojans (RATs) such as Remcos, and other threats like AHKBot and GuLoader.
One particularly aggressive campaign, targeting US users ahead of the tax filing deadline, has been attributed to Storm-0249, a known initial access broker with a history of distributing notorious malware families like BazaLoader, IcedID, Bumblebee, and Emotet. This campaign demonstrates a clear focus on exploiting the tax season for maximum impact.
Key tactics:
🔴Using the urgency of tax season to entice victims into opening malicious attachments or clicking on phishing links.
🔴Employing a variety of delivery methods such as PDFs, QR Codes, and Fake DocuSign pages to bypass initial security checks.
🔴Utilizing phishing-as-a-service (PhaaS) platforms such as RaccoonO365 to streamline and scale attacks.
🔴Deploying a range of malware, including RATs, credential stealers, and botnets.
🔴Using URL shorteners, QR codes, file-hosting services, and business profile pages to obfuscate malicious links.
🔴Focusing attacks on specific regions, such as the United States, during tax filing periods.
🔴Faking email addresses and subjects to appear as legitimate entities like the IRS.
To mitigate these threats, organizations and individuals are urged to:
✅Emphasize the importance of protecting personal and business information, identifying phishing lures, and reporting suspicious activity.
✅Enforce MFA on all accounts and ensure its consistent use across all devices and locations.
✅Teach users to verify website URLs before entering credentials.
✅Enable network protection to block access to known malicious domains and content.
✅Promote a cyber-aware culture through training and simulations.
In a proactive approach, Cytex is offering its Gamified Phishing simulation and security training module free of charge, underscoring the importance of cyber awareness in combating these evolving threats.
CVSS 10.0 Alert CVE-2025-32433
This flaw allows a remote, unauthenticated attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. The implications of successful exploitation are dire. Attackers can achieve arbitrary code execution within the context of the SSH daemon, enabling them to:
🔴Install ransomware.
🔴Siphon off sensitive data.
The severity escalates dramatically if the SSH daemon process is running as root. In such cases, an attacker gains complete control of the affected device, paving the way for:
⚠️Unauthorized access to and manipulation of sensitive data.
⚠️Denial-of-service (DoS) attacks.
⚠️Full compromise of hosts.
Essentially, any system running an SSH server based on the Erlang/OTP SSH library is potentially at risk, and swift action is crucial to mitigate potential damage. The most critical action is to update to the latest versions of Erlang/OTP as soon as possible. If immediate updates are not feasible, organizations must restrict SSH port access to only authorized users.
A China-aligned advanced persistent threat (APT) group known as TheWizards is employing a sophisticated attack chain that leverages IPv6 to conduct adversary-in-the-middle (AiTM) attacks. This campaign highlights a concerning trend: the increasing weaponization of networking protocols in advanced cyberattacks.
TheWizards utilize a tool called Spellbinder, which enables these AiTM attacks through IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing. This technique allows the attackers to move laterally within a compromised network, intercepting network packets and, crucially, redirecting traffic from legitimate Chinese software applications. The attackers manipulate these software updates, delivering malicious payloads from their own controlled servers instead of the intended, legitimate sources.
This attack serves as a delivery mechanism for a malicious downloader, which, in turn, deploys a modular backdoor dubbed WizardNet. The Spellbinder tool is the key to this process, effectively redirecting traffic to an attacker-controlled server to deliver WizardNet. This backdoor grants the attackers persistent and unauthorized access to the compromised systems, allowing for further malicious activities, such as data exfiltration, espionage, and potentially further lateral movement.
The scope of TheWizards' operations is significant. Their targets include gambling companies, individuals, and other entities in the United Arab Emirates (UAE) 🇦🇪, Cambodia, the Philippines 🇵🇭, mainland China 🇨🇳, and Hong Kong. The Spellbinder AiTM tool has been actively used by this threat actor since at least 2022, indicating a sustained and ongoing campaign.
Interestingly, TheWizards deploy different backdoors depending on the target operating system. While they use WizardNet for Windows systems, their hijacking server is also configured to deliver DarkNights to updating applications running on Android devices. This multi-platform approach demonstrates the group's versatility and broad targeting strategy.
Further investigation has revealed a potential link between TheWizards APT group and a company called Dianke Network Security. Evidence suggests that Dianke Network Security may be acting as a digital quartermaster, providing support or resources to TheWizards. This connection warrants further scrutiny and highlights the complex relationships that can exist between state-sponsored APT groups and private sector entities.
This campaign underscores several critical takeaways for cybersecurity professionals:
⚠️ The increasing adoption of IPv6 necessitates a renewed focus on its security implications. Attackers are actively exploring and exploiting vulnerabilities in IPv6 implementations, as demonstrated by TheWizards' use of SLAAC spoofing. Organizations must ensure their networks are properly configured and secured to mitigate these risks.
⚠️ This attack exemplifies a sophisticated supply chain attack, where attackers compromise legitimate software update mechanisms to deliver malware. Organizations need robust mechanisms to verify the integrity of software updates and protect against such manipulation.
⚠️ The use of AiTM attacks for lateral movement highlights the importance of network segmentation and zero-trust security architectures. Limiting the ability of attackers to move within a network can significantly reduce the impact of a successful breach.
⚠️ Identifying and attributing APT activity can be extremely challenging, as these groups often employ sophisticated techniques to obfuscate their operations. The potential link to Dianke Network Security illustrates the complexities involved in uncovering the true sponsors and motivations behind these attacks.
The threat posed by TheWizards APT group and their use of Spellbinder is a serious concern. Organizations, particularly those in targeted regions and sectors, must take proactive steps to defend against these advanced attacks. This includes strengthening network security, implementing robust software update verification processes, and staying informed about the latest APT activity.
Marks & Spencer (M&S) cyberattack that caused widespread disruption was indeed a ransomware attack. Last Tuesday, M&S confirmed the cyberattack, which resulted in significant disruptions to services, including contactless payments and online ordering. The impact of this attack continues, with reports indicating that approximately 200 warehouse workers have been asked to stay home as the company works to recover its systems. The ongoing outages are a direct result of the ransomware attack, which encrypted M&S's servers.
The timeline of the attack indicates that the threat actors may have gained initial access to M&S systems as early as February. Reports suggest that the attackers stole the Windows domain's NTDS.dit file, a critical database containing domain credentials.
M&S engaged security experts to investigate and respond to the attack. The investigation has now attributed the ransomware attack to a hacking collective known as "Scattered Spider," also tracked by Microsoft as Octo Tempest.
Scattered Spider is a notorious group known for its sophisticated and aggressive tactics. They have been observed acting as affiliates for various ransomware operations, including RansomHub, Qilin, and now DragonForce. Researchers commonly attribute attacks to Scattered Spider based on a distinct set of indicators of compromise (IOCs), which include:
🔴Credential-stealing phishing attacks specifically targeting Single Sign-On (SSO) platforms.
🔴Social engineering attacks involving impersonation of IT help desk personnel.
🔴A range of other social engineering and exploitation tactics.
This attribution highlights the severity and complexity of the attack against M&S. Scattered Spider's involvement suggests a highly organized and skilled adversary, capable of causing significant damage and disruption.
The ongoing service disruptions at Marks & Spencer (M&S), impacting contactless payments and Click & Collect during peak trading, serve as a stark reminder of the escalating cyber threats facing businesses. Furthermore, gift card payments are also affected due to technical difficulties, as confirmed by a company representative on X (formerly Twitter). These disruptions caused considerable chaos during the Easter break, prompting M&S to issue an apology to frustrated customers demanding answers about the nationwide payment outages.
While the specific nature of the M&S incident is under investigation, it aligns with a concerning trend. Recent data shows 43% of UK businesses experienced a cyber breach in the past year; this figure increases sharply to 70% and 74% for medium and large enterprises, highlighting the persistent targeting of organizations with substantial customer data and operational infrastructure. Recent high-profile cases have involved other major organizations, including Transport for London, Royal Mail, and WH Smith.
M&S has engaged cybersecurity experts to investigate the incident and secure its systems. Investigations are currently ongoing. While M&S has notified data protection supervisory authorities and the National Cyber Security Centre (NCSC), specific details about the nature of the cyber incident have not been disclosed. The consequences extend beyond immediate operational disruption, encompassing recovery costs and reputational damage.
As of now, no ransomware gangs or other threat actors have claimed responsibility for the attack. It's possible that this is due to the attackers attempting to pressure M&S into paying an extortion demand. If ransomware is indeed involved, it is likely that data has been stolen and could be used as additional leverage to compel payment.
The M&S incident should serve as a catalyst for C-suite executives to reassess their organization's cybersecurity posture, ensuring resilient systems and proactive defense mechanisms are in place to mitigate the growing risk of business-impacting cyberattacks.
Strengthening Our Intellectual Property
Cytex continues to expand its leadership in cybersecurity through a growing portfolio of patents. We’re proud to build on our intellectual property with two foundational patents now in force:
US-12149415-B2 – System and Method for Telemetry Analysis of a Digital Twin
US-20220394061-A1 – System and Method for Monitoring Data Disclosures
These patents underpin critical innovations in digital‑twin analytics and real‑time oversight of data flows, reinforcing our commitment to deliver innovative security solutions to enterprise customers.
Navigating CMMC Compliance – Insights, Benefits, and Solutions
You’re invited to an exclusive Cytex webinar on Navigating CMMC Compliance, hosted by CEO Andrew Surwilo, and featuring JD McCabe, Chief of Compliance at Marsh, and Dr. Rick Hansen, Lead CMMC Assessor at APS Global. If CMMC certification is on your roadmap, learn about practical solutions to accelerate your certification journey. Engage with top experts and tackle the CMMC certification challenges with confidence.
Hosted by: Andrew Surwilo, CEO Cytex Inc.
Featuring: JD McCabe (Marsh), Dr. Rick Hansen (Lead CMMC Assessor, APS Global)
Target Audience: DoD Contractors, Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs)
Duration: 45 minutes Date: June 4th 2PM ET
Cytex provides AI powered cybersecurity, risk management, and compliance operations in a unified resilience platform.
Interested? Find out more at → https://cytex.io
Insightful