Wisconsin wireless provider Cellcom suffers extended outages due to cyberattack
Cellcom, a wireless provider in Wisconsin with 400 employees and an annual revenue of $170 million, has confirmed that a cyberattack was behind the widespread service outage. The attack affected voice and SMS services across Wisconsin and Upper Michigan, leaving many users unable to communicate.
After days of calling it a technical issue, CEO Brighid Riordan acknowledged it was a cyber incident, stating that Cellcom had plans in place and followed established protocols. These included engaging external cybersecurity experts, notifying the FBI and local officials, and working continuously to restore services.
The affected systems were separate from those storing sensitive customer data, and there is currently no evidence of personal information being compromised. Though data services iMessage, RCS and 911 remained functional, users were frustrated — due particularly to the inability to port numbers during the disruption. The full restoration timeline remains uncertain.
CISA and FBI issue joint warning that LummaC2 malware remains an ongoing threat to U.S. infrastructure
In parallel with the global takedown of Lumma Stealer's infrastructure, CISA and the FBI issued a joint Cybersecurity Advisory warning that LummaC2 remains an active threat to U.S. critical infrastructure, with IOCs observed from November 2023 to May 2025.
The international operation, involving the FBI, Europol, and cybersecurity firms, dismantled 2,300 domains used as command-and-control hubs for the malware. Lumma, active since late 2022, was responsible for roughly 10 million infections, stealing credentials, browser data, and cryptocurrency seed phrases. Sold under a malware-as-a-service model, it offered subscription tiers up to $20,000, including source code and resale rights. The malware was distributed via phishing, malvertising and cracked software, with spoofed downloads used to lure victims.
Researchers identified nearly 400,000 infected Windows devices in just two months of 2025. The malware’s developer, “Shamel,” marketed it through Telegram and equipped it with advanced obfuscation and fake cloud-hosted reCAPTCHA lures. Despite the takedown, experts caution that Lumma’s operators may adapt their methods and attempt to reestablish their operations.
SideWinder APT targets South Asian ministries using malicious spear-phishing emails
A new cyber-espionage campaign by the SideWinder APT group has targeted high-level government bodies in Sri Lanka, Bangladesh and Pakistan.
The attackers used spear-phishing emails containing malicious documents that exploit outdated Microsoft Office flaws (CVE-2017-0199 and CVE-2017-11882) to deliver the StealerBot malware. Victims included Bangladesh’s Ministry of Defence and Finance, Pakistan’s Directorate of Indigenous Technical Development, and Sri Lanka’s Central Bank and Ministry of Defence. The attacks were highly targeted, with geofenced payloads ensuring only specific IP addresses received the malware. If a target didn’t match the criteria, they were served a harmless decoy document instead.
StealerBot is a .NET-based implant capable of launching a reverse shell, stealing passwords and keystrokes and dropping additional malware. The threat actor showed strong operational discipline, with precise, short-lived campaigns designed for stealth and effectiveness.
Ransomware group Nefarious Mantis causes system-wide outage at Ohio-based Kettering Health
Kettering Health, which operates 14 hospitals and over 120 outpatient facilities in Ohio, suffered a system-wide outage following a ransomware attack. The cyberattack disrupted patient care systems and forced the cancellation of elective inpatient and outpatient procedures scheduled for May 20.
While emergency rooms and clinics remain open, the organization’s call center is currently offline, limiting communication with patients. Kettering Health also warned about scam calls impersonating staff and temporarily suspended all phone-based payment requests as a precaution.
Researchers linked the incident to a ransomware group called Nefarious Mantis, part of the Interlock cluster known for targeting U.S. health care providers. The group allegedly left a ransom note threatening to leak sensitive data unless a ransom is paid, although no data has yet been published. CNN reported that Interlock is likely responsible, but the group hasn’t officially claimed the breach on its dark web leak site. Kettering Health has not confirmed whether any patient data was stolen and has declined to share further details about the attack.
Saudi organization hit in multi-year attack by China-linked UnsolicitedBooker backdoor
Researchers uncovered cyberattacks by a China-linked group named UnsolicitedBooker, which used a new backdoor called MarsSnake to target an international organization in Saudi Arabia.
The group launched spear-phishing campaigns using fake flight ticket emails, impersonating Saudia Airlines, to deliver malicious Microsoft Word documents containing macros. These documents executed code that dropped a loader for MarsSnake, enabling remote control via a command-and-control server. UnsolicitedBooker has previously used backdoors like Chinoxy, DeedRAT, Poison Ivy, and BeRAT, and shows similarities to groups like Space Pirates and others behind the Zardoor malware. Researchers noted repeated attacks on the same Saudi organization from 2023 to 2025, indicating persistent targeting.
Meanwhile, another Chinese group, PerplexedGoblin (APT31), deployed the NanoSlate espionage backdoor against a Central European government. Researchers also reported ongoing operations by DigitalRecyclers, associated with APT15, which continues to target EU entities using advanced backdoors like HydroRShell. MarsSnake and HydroRShell enable attackers to execute arbitrary commands, access files and maintain long-term control over infected systems.
