Medusa targets critical vulnerability in Fortra’s GoAnywhere MFT
A maximum-severity remote code execution flaw in Fortra’s GoAnywhere MFT is actively exploited in the wild. Threat actors crafted forged requests to trigger deserialization and command injection with Medusa ransomware and data theft observed. The Acronis Threat Research Unit (TRU) last observed Medusa in late March 2025.
MFT servers often have privileged access to file shares and automated workflows, so exploitation gives attackers high-value reach into backup targets, sensitive file stores and downstream systems.
Immediate actions if affected: isolate internet-facing MFT instances, rotate service credentials and keys, enable strict network controls and apply vendor mitigations / emergency patches as published.
Discord attacked: Hackers use third-party Zendesk to exfiltrate Discord data
Attackers claim they accessed Zendesk, a third-party support system used by Discord, to exfiltrate user data. After the breach, Discord confirmed ticket data, including nearly 70,000 ID photos, may have been exposed to attackers.
The apparent initial vector is via a compromised third-party support instance or stolen credentials, demonstrating how supplier account compromise leads to mass data exposure even without compromising an organization’s core production systems.
Victims were exposed to potential identity theft, spear-phishing campaigns and credential stuffing attacks against other services where users reuse emails or passwords.
Vampire Bot malware targets job applicants with fake open-role listings
A new campaign distributing Vampire Bot (an information-stealer) uses fake job adverts and recruitment portals to trick candidates into running malware-laden installers or submitting credentials; initial distribution occurs via malvertised recruitment pages and spear-phishing.
Once installed, Vampire Bot steals saved credentials, session cookies and sensitive files, and can deploy secondary payloads such as RATs. It also exfiltrates resumes and personal information useful for further social engineering.
The campaign exploits trust in job websites and uses typo-squatted domains and SEO poisoning to surface malicious links to victims searching for roles.
Japanese beer giant Asahi Group hit with production downtime due to ransomware
Japan’s Asahi Group suffered a cyber incident that halted production systems at multiple breweries, disrupting order processing and shipping. Production was restarted gradually after the threat was contained and remediated.
The operational impact included supply shortages, stalled logistics and reputational damage as customers and partners felt the downstream effects of IT compromise. The incident illustrates how OT / IT convergence makes operational systems attractive targets.
Qilin ransomware group took responsibility for the attack, already publishing some of the stolen sensitive information on their leak site.
Velociraptor DFIR exploited in sophisticated cyberattack
Threat actors attributed to Storm-2603 by Talos strike again, abusing the legitimate Velociraptor DFIR tool. Criminals deployed tunnels via Visual Studio Code or other binaries, persisted and staged ransomware drop operations — blurring defender tool-usage and attacker tradecraft.
Attackers used msiexec to install Velociraptor from attacker-controlled hosting, then used it to download further tooling and create covert C2 channels. This is a prime example of how criminals use legitimate security tools to evade detections.
This misuse demonstrates why cybersecurity professionals cannot rely solely on tool signatures, behavioral anomalies and execution context to drive detections.
