Cybersecurity Roundup: State-Backed Threats, Banking Malware, and Major Takedowns
Recent cybersecurity developments highlight escalating threats from state-sponsored actors, sophisticated banking malware, and large-scale law enforcement operations.
Iran’s Cyber Operations Expand with Criminal Partnerships
Research from Check Point reveals Iran’s Ministry of Intelligence and Security is collaborating with cybercriminal groups to enhance its cyber capabilities. Iranian APTs like Void Manticore are leveraging tools such as the Rhadamanthys infostealer and engaging in ransomware-as-a-service (RaaS) ecosystems. This strategy obscures attribution by sourcing malware, infrastructure, and initial access from underground markets rather than developing proprietary tools.
New Rust-Based Malware Targets Brazilian Banks
Brazilian firm ZenoX uncovered VENON, a Rust-based banking trojan targeting 33 financial institutions in Brazil. The malware spreads via DLL side-loading, ClickFix social engineering, and employs nine evasion techniques. It monitors active windows, hijacks shortcuts, and deploys fake overlays to steal credentials particularly from Itaú’s banking app. VENON can also reverse modifications to avoid detection.
England Hockey Investigates Ransomware Breach
The AiLock ransomware gang claims to have stolen 129GB of data from England Hockey, threatening to leak it unless a ransom is paid. The organization, which oversees 800+ clubs and 150,000 players, is working with law enforcement and cybersecurity experts to assess the breach. AiLock, active since April 2025, uses double-extortion tactics and advanced encryption.
Storm-2561 Exploits SEO Poisoning for Credential Theft
Microsoft Threat Intelligence reports that Storm-2561 is distributing fake VPN clients via SEO poisoning. Users searching for legitimate VPN software are redirected to malicious sites hosting ZIP files with MSI installers that side-load the Hyrax infostealer. The malware, digitally signed to appear legitimate, captures VPN credentials and maintains persistence via the Windows RunOnce key.
Hive0163 Deploys AI-Assisted Malware
IBM X-Force researcher Golo Mühr revealed that Hive0163 is using Slopoly, an AI-generated malware, to maintain persistence in ransomware attacks. Deployed via PowerShell scripts and scheduled tasks, Slopoly acts as a backdoor, beaconing system data and executing commands from a C2 server. While AI helped generate structured code, the malware relies on standard persistence techniques. Hive0163 frequently uses ClickFix, malvertising, and access brokers to deliver threats like NodeSnake, Interlock RAT, and Interlock ransomware.
Operation Lightning Disrupts SocksEscort Proxy Network
A multinational law enforcement operation, Operation Lightning, dismantled the SocksEscort residential proxy network. Authorities seized 34 domains and 23 servers across seven countries and froze $3.5 million in cryptocurrency. The service, which infected routers with AVRecon malware, sold access to 369,000 compromised IPs used for fraud, ransomware, and account takeovers. The network had 124,000 users and caused tens of millions in losses.
Veeam Patches Critical RCE Flaws in Backup Software
Veeam released patches for multiple vulnerabilities in its Backup & Replication software, including four critical remote code execution (RCE) flaws that could allow low-privileged users to execute code on backup servers. The bugs also enable privilege escalation and credential theft. Fixes are included in versions 12.3.2.4465 and 13.0.1.2067. Veeam warned that attackers often reverse-engineer patches to target unpatched systems, noting backup servers are prime ransomware targets.
PixRevolution Trojan Hijacks Brazil’s PIX Payments
Researchers at Zimperium discovered PixRevolution, an Android banking trojan that intercepts Brazil’s PIX instant payment system by replacing recipient payment keys during transactions. The malware abuses Android accessibility permissions to monitor screens, stream activity to a command server, and allow real-time intervention by attackers. It spreads via fake Google Play store pages and targets Brazil’s PIX network, used by 76% of Brazilians and processing over three billion transactions monthly.
Source: https://www.linkedin.com/pulse/iran-boosts-cyberattacks-venon-targets-brazilian-banks-england-mypnc
Veeam TPRM report: https://www.rankiteo.com/company/veeam-software
Itaú TPRM report: https://www.rankiteo.com/company/itau
"id": "itavee1773411944",
"linkid": "itau, veeam-software",
"type": "Vulnerability",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybersecurity, Government',
'location': 'Iran',
'name': 'Iran’s Ministry of Intelligence and Security '
'(Collaborators)',
'type': 'Government/Cybercriminal Groups'},
{'industry': 'Banking',
'location': 'Brazil',
'name': 'Brazilian Financial Institutions (33 targets)',
'type': 'Financial Institutions'},
{'industry': 'Sports',
'location': 'England',
'name': 'England Hockey',
'size': '800+ clubs, 150,000 players',
'type': 'Sports Organization'},
{'location': 'Global',
'name': 'Users of Fake VPN Clients',
'type': 'Individuals'},
{'name': 'Hive0163 Targets',
'type': 'Organizations/Individuals'},
{'location': 'Global',
'name': 'SocksEscort Users and Victims',
'size': '124,000 users, 369,000 compromised IPs',
'type': 'Individuals/Organizations'},
{'industry': 'IT, Backup Solutions',
'location': 'Global',
'name': 'Veeam Customers',
'type': 'Organizations'},
{'industry': 'Finance',
'location': 'Brazil',
'name': 'Brazilian PIX Payment Users',
'size': '76% of Brazilians (millions)',
'type': 'Individuals/Organizations'}],
'attack_vector': ['Ransomware-as-a-Service (RaaS)',
'DLL Side-Loading, ClickFix Social Engineering',
'Double-Extortion Ransomware',
'SEO Poisoning, Fake VPN Clients',
'PowerShell Scripts, Scheduled Tasks',
'Malware-Infected Routers (AVRecon)',
'Exploitation of Unpatched Software',
'Fake Google Play Store Pages, Accessibility Permissions '
'Abuse'],
'customer_advisories': ['England Hockey has publicly disclosed the breach '
'investigation.',
'Veeam has released security advisories for '
'customers.'],
'data_breach': {'data_encryption': [None,
None,
'Yes (AiLock ransomware)',
None,
'Yes (Slopoly malware)',
None,
None,
None],
'data_exfiltration': [None,
None,
'Yes (129GB stolen)',
None,
None,
None,
None,
None],
'number_of_records_exposed': [None,
None,
None,
None,
None,
None,
None,
None],
'personally_identifiable_information': [None,
'Yes (banking '
'credentials)',
None,
'Yes (VPN '
'credentials)',
None,
None,
None,
'Yes (PIX payment '
'information)'],
'sensitivity_of_data': [None,
'High (banking credentials)',
'High (unspecified data)',
'High (VPN credentials)',
None,
None,
None,
'High (PIX payment information)'],
'type_of_data_compromised': [None,
'Banking credentials',
'129GB of unspecified data',
'VPN credentials',
None,
None,
None,
'PIX payment information']},
'description': ['Iran’s Ministry of Intelligence and Security is '
'collaborating with cybercriminal groups to enhance its cyber '
'capabilities. Iranian APTs like Void Manticore are '
'leveraging tools such as the Rhadamanthys infostealer and '
'engaging in ransomware-as-a-service (RaaS) ecosystems.',
'VENON, a Rust-based banking trojan, targets 33 financial '
'institutions in Brazil. It spreads via DLL side-loading, '
'ClickFix social engineering, and employs nine evasion '
'techniques to steal credentials, particularly from Itaú’s '
'banking app.',
'The AiLock ransomware gang claims to have stolen 129GB of '
'data from England Hockey, threatening to leak it unless a '
'ransom is paid. The organization is working with law '
'enforcement and cybersecurity experts to assess the breach.',
'Storm-2561 is distributing fake VPN clients via SEO '
'poisoning to deploy the Hyrax infostealer. The malware '
'captures VPN credentials and maintains persistence via the '
'Windows RunOnce key.',
'Hive0163 is using Slopoly, an AI-generated malware, to '
'maintain persistence in ransomware attacks. Deployed via '
'PowerShell scripts and scheduled tasks, Slopoly acts as a '
'backdoor, beaconing system data and executing commands from '
'a C2 server.',
'Operation Lightning dismantled the SocksEscort residential '
'proxy network, seizing 34 domains and 23 servers across '
'seven countries and freezing $3.5 million in cryptocurrency. '
'The network had 124,000 users and caused tens of millions in '
'losses.',
'Veeam patched multiple vulnerabilities in its Backup & '
'Replication software, including four critical remote code '
'execution (RCE) flaws that could allow low-privileged users '
'to execute code on backup servers.',
'PixRevolution, an Android banking trojan, intercepts '
'Brazil’s PIX instant payment system by replacing recipient '
'payment keys during transactions. It spreads via fake Google '
'Play store pages and targets Brazil’s PIX network.'],
'impact': {'brand_reputation_impact': [None,
None,
'Potential reputational damage to '
'England Hockey',
None,
None,
None,
'Potential reputational damage to '
'Veeam',
None],
'data_compromised': [None,
None,
'129GB of data stolen',
None,
None,
None,
None,
None],
'financial_loss': [None,
None,
None,
None,
None,
'Tens of millions in losses',
None,
None],
'identity_theft_risk': [None,
'High (banking credentials)',
None,
'High (VPN credentials)',
None,
None,
None,
'High (PIX payment information)'],
'legal_liabilities': [None,
None,
None,
None,
None,
None,
'Potential legal liabilities for unpatched '
'systems',
None],
'operational_impact': [None,
None,
'England Hockey’s operations under '
'investigation',
None,
None,
'Disruption of SocksEscort proxy network',
None,
None],
'payment_information_risk': [None,
'High (banking credentials)',
None,
None,
None,
None,
None,
'High (PIX payment hijacking)'],
'systems_affected': [None,
'Brazilian financial institutions (33 '
'targets)',
'England Hockey’s systems',
'Users searching for VPN software',
'Systems targeted by Hive0163',
'369,000 compromised IPs (routers)',
'Veeam Backup & Replication servers',
'Android devices in Brazil']},
'initial_access_broker': {'backdoors_established': [None,
None,
None,
None,
'Slopoly malware '
'(backdoor)',
None,
None,
None],
'data_sold_on_dark_web': [None,
None,
None,
None,
None,
'Yes (SocksEscort sold '
'access to compromised '
'IPs)',
None,
None],
'entry_point': [None,
None,
None,
None,
'ClickFix, Malvertising, Access '
'Brokers',
None,
None,
None]},
'investigation_status': ['Ongoing', 'Completed (Operation Lightning)'],
'lessons_learned': ['State-sponsored actors are increasingly collaborating '
'with cybercriminals to obscure attribution.',
'Rust-based malware like VENON demonstrates advanced '
'evasion techniques, requiring enhanced detection '
'mechanisms.',
'Ransomware groups like AiLock use double-extortion '
'tactics, emphasizing the need for robust backup and '
'incident response plans.',
'SEO poisoning remains an effective vector for credential '
'theft, highlighting the importance of user education.',
'AI-generated malware like Slopoly can be used to '
'maintain persistence, necessitating advanced threat '
'detection.',
'Residential proxy networks like SocksEscort pose '
'significant risks for fraud and ransomware, requiring '
'coordinated law enforcement action.',
'Unpatched software vulnerabilities in backup solutions '
'are prime targets for ransomware, underscoring the need '
'for timely patching.',
'Banking trojans like PixRevolution exploit accessibility '
'permissions to hijack transactions, requiring stricter '
'app vetting processes.'],
'motivation': ['Cyber Espionage, Financial Gain (RaaS)',
'Financial Theft (Banking Credentials)',
'Financial Gain (Ransomware)',
'Credential Theft (VPN Credentials)',
'Persistence in Ransomware Attacks',
'Fraud, Ransomware, Account Takeovers',
'Financial Theft (PIX Payment Hijacking)'],
'post_incident_analysis': {'corrective_actions': ['Enhance threat '
'intelligence sharing to '
'detect state-cybercriminal '
'collaborations.',
'Implement MFA and '
'behavioral analytics for '
'banking apps.',
'Maintain offline backups '
'and test incident response '
'plans.',
'Educate users on verifying '
'software legitimacy and '
'avoiding suspicious links.',
'Deploy advanced threat '
'detection for AI-generated '
'malware.',
'Collaborate with law '
'enforcement to dismantle '
'proxy networks.',
'Prioritize patching '
'critical vulnerabilities '
'in backup software.',
'Enforce stricter app '
'vetting and review '
'accessibility '
'permissions.'],
'root_causes': ['Collaboration between '
'state-sponsored actors and '
'cybercriminals to enhance '
'capabilities.',
'Exploitation of DLL side-loading '
'and social engineering for '
'malware delivery.',
'Double-extortion ransomware '
'tactics targeting sports '
'organizations.',
'SEO poisoning to distribute fake '
'VPN clients.',
'Use of AI-generated malware for '
'persistence in ransomware '
'attacks.',
'Malware-infected routers used to '
'create residential proxy '
'networks.',
'Unpatched vulnerabilities in '
'backup software.',
'Abuse of Android accessibility '
'permissions to hijack payments.']},
'ransomware': {'data_encryption': [None,
None,
'Yes',
None,
'Yes',
None,
None,
None],
'data_exfiltration': [None,
None,
'Yes',
None,
None,
None,
None,
None],
'ransom_demanded': [None,
None,
'Yes (unspecified amount)',
None,
None,
None,
None,
None],
'ransomware_strain': [None,
None,
'AiLock',
None,
'Interlock ransomware',
None,
None,
None]},
'recommendations': ['Organizations should monitor for collaborations between '
'state-sponsored actors and cybercriminals, enhancing '
'threat intelligence sharing.',
'Financial institutions should implement multi-factor '
'authentication (MFA) and behavioral analytics to detect '
'banking trojans like VENON.',
'Sports organizations and other entities should maintain '
'offline backups and test incident response plans to '
'mitigate ransomware impacts.',
'Users should verify the legitimacy of software downloads '
'and avoid clicking on suspicious links to prevent SEO '
'poisoning attacks.',
'Organizations should deploy advanced threat detection '
'tools to identify AI-generated malware and monitor for '
'unusual persistence mechanisms.',
'Law enforcement and cybersecurity firms should '
'collaborate to dismantle residential proxy networks and '
'disrupt cybercriminal infrastructure.',
'IT teams should prioritize patching critical '
'vulnerabilities in backup software to prevent ransomware '
'attacks.',
'Mobile users should only download apps from official '
'stores and review accessibility permissions to prevent '
'banking trojan infections.'],
'references': [{'source': 'Check Point Research'},
{'source': 'ZenoX'},
{'source': 'AiLock Ransomware Gang'},
{'source': 'Microsoft Threat Intelligence'},
{'source': 'IBM X-Force (Golo Mühr)'},
{'source': 'Operation Lightning (Multinational Law '
'Enforcement)'},
{'source': 'Veeam Security Advisory'},
{'source': 'Zimperium'}],
'response': {'communication_strategy': [None,
None,
'Public disclosure of breach '
'investigation',
None,
None,
None,
'Security advisory released',
None],
'containment_measures': [None,
None,
None,
None,
None,
'Seizure of 34 domains and 23 servers, '
'freezing $3.5M in cryptocurrency',
None,
None],
'incident_response_plan_activated': [None,
None,
'Yes (England Hockey '
'working with law '
'enforcement and '
'cybersecurity experts)',
None,
None,
None,
None,
None],
'law_enforcement_notified': [None,
None,
'Yes',
None,
None,
'Yes (Multinational law enforcement '
'operation)',
None,
None],
'remediation_measures': [None,
None,
None,
None,
None,
'Dismantling of SocksEscort network',
'Patches released for Veeam Backup & '
'Replication software',
None],
'third_party_assistance': [None,
None,
'Yes (Cybersecurity experts)',
None,
None,
None,
None,
None]},
'threat_actor': ['Void Manticore (Iran’s Ministry of Intelligence and '
'Security)',
'ZenoX (Attributed to VENON)',
'AiLock Ransomware Gang',
'Storm-2561',
'Hive0163'],
'title': ['Iran’s Cyber Operations Expand with Criminal Partnerships',
'New Rust-Based Malware Targets Brazilian Banks',
'England Hockey Investigates Ransomware Breach',
'Storm-2561 Exploits SEO Poisoning for Credential Theft',
'Hive0163 Deploys AI-Assisted Malware',
'Operation Lightning Disrupts SocksEscort Proxy Network',
'Veeam Patches Critical RCE Flaws in Backup Software',
'PixRevolution Trojan Hijacks Brazil’s PIX Payments'],
'type': ['State-Sponsored Cyber Operations',
'Banking Trojan',
'Ransomware',
'Infostealer',
'AI-Assisted Malware',
'Proxy Network Takedown',
'Vulnerability Patch',
'Banking Trojan'],
'vulnerability_exploited': ['AVRecon Malware',
'Critical RCE Flaws in Veeam Backup & Replication '
'Software']}