MSP cybersecurity news digest, June 3, 2025

The DragonForce ransomware gang recently exploited a managed service provider (MSP) by abusing vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool. Using flaws tracked as CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728, the attackers gained access to the MSP’s systems.

They leveraged SimpleHelp to perform reconnaissance, gathering sensitive details like device names, configurations and user information, before attempting to steal data and deploy ransomware across customer networks. This double-extortion tactic highlights the growing trend of ransomware groups targeting MSPs as high-value gateways. DragonForce, already linked to major U.K. retail breaches, is expanding its reach through a white-label ransomware-as-a-service (RaaS) model.

Notably, CISA has added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog, based on clear evidence of active exploitation, reinforcing the critical risk posed by these flaws. Earlier this year, researchers and national cybersecurity agencies have also flagged these flaws.

Researchers have uncovered a new malicious campaign that uses a fake antivirus download website to spread VenomRAT, a remote access trojan.

Victims are tricked into visiting a fraudulent site that initiates malware downloads from a Bitbucket repository connected to an Amazon S3 bucket. The downloaded archive contains VenomRAT along with components from the SilentTrinity post-exploitation toolkit and the StormKitty information stealer. This setup is designed to harvest credentials, steal crypto wallet data, and maintain persistent access to compromised systems. Researchers note that the infrastructure overlaps with other phishing domains targeting banks and IT services, pointing to a broader trend of modular, open-source-based attacks.

In a parallel campaign, fake video conferencing pages are being used to deceive users into executing malicious PowerShell commands. Additionally, attackers are exploiting Google’s AppSheet platform to impersonate major tech brands and harvest two-factor authentication codes through adversary-in-the-middle (AitM) phishing.

Researchers have revealed that Chinese state-sponsored group APT41 used a malware called TOUGHPROGRESS, which exploits Google Calendar for C2.

The campaign included spear-phishing emails with ZIP files containing disguised shortcuts and decoy images, initiating infection upon opening. The attack chain deploys three components: PLUSDROP (a DLL loader), PLUSINJECT (used for process hollowing), and TOUGHPROGRESS (the main payload leveraging Google Calendar). Commands were hidden in calendar events, executed by the malware and results exfiltrated using the same method.

Researchers have since dismantled the malicious infrastructure and notified affected organizations. Notably, APT41 had previously misused Google Drive and Sheets in a similar 2023 operation against a Taiwanese media outlet.

MathWorks, a leading developer of mathematical computing and simulation software, has confirmed that a ransomware attack is the cause of an ongoing service outage. The company has over 6,500 employees in 34 offices worldwide and is trusted by over 100,000 organizations and over five million customers.

The attack impacted both internal IT systems and customer-facing services, including the cloud center, file exchange, license center, and the MathWorks store. While some services have been restored — such as multifactor authentication and account SSO — many customers still report access issues, particularly with new account creation and logins.

MathWorks reported the incident to federal authorities but has not disclosed the name of the ransomware group or whether customer data was compromised. No threat actor has publicly claimed responsibility.

The FBI has issued a warning about ongoing social engineering attacks by the Luna Moth extortion group targeting U.S. law firms. Luna Moth, also known as Chatty Spider or Silent Ransom Group (SRG), uses callback phishing emails and fake IT support calls to trick victims into granting remote access.

Victims are lured into calling support numbers from emails about fake invoices, then guided to install remote access tools, giving attackers access to their systems. Once inside, the group steals sensitive data and demands ransom to prevent public leaks or data sales. Since March 2025, they’ve escalated efforts by impersonating internal IT staff and asking employees to join remote sessions via email links or fake websites. They often use legitimate tools like Zoho Assist, AnyDesk or WinSCP for stealthy data exfiltration, making detection harder.

The FBI urges organizations to watch for unusual remote connections, fake subscription emails with callback numbers or unsolicited IT-related calls. A recent report showed Luna Moth registering dozens of fake helpdesk domains (at least 37) to impersonate legal and financial institutions in targeted phishing campaigns.