Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
In an April 2 press release, Europol announced that Kidflix—”one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web”—was shut down in an international operation dubbed “Operation Stream.” The investigation was led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB), and was supported by Europol. The platform was taken down on March 11 by German and Dutch authorities. Read full article.
In a March 28 report, researchers at Cisco Talos revealed an ongoing phishing campaign believed to be carried out by the Russian hacking group Gamaredon against entities in Ukraine. The campaign uses malicious LNK files compressed inside ZIP archives and disguised as Microsoft Office documents featuring Russian words “related to the movement of troops in Ukraine.” As noted in the report, “The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor.” Article here.
Researchers have observed a cryptocurrency and bulk email phishing campaign dubbed “PoisonSeed” that is compromising corporate email marketing accounts. As noted by BleepingComputer, the campaign utilizes the compromised accounts to “distribute emails containing crypto seed phrases used to drain cryptocurrency wallets.” A report from Silent Push reveals that targeted crypto companies have included Coinbase and Ledger, while the targeted bulk email providers include Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. Read more here.
On April 15, the notorious imageboard 4chan was taken offline after suffering what is believed to be a hack carried out by a competing imageboard. As noted by BleepingComputer, users on the lesser-known imageboard Soyjak.party have since claimed responsibility for the attack and leaked screenshots of “admin panels and a list of emails allegedly belonging to 4chan admins, moderators, and janitors.” Significantly, the administration panels and maintenance tools the hacker claims to have access to would allow them to gain access to users’ locations and IP addresses. Read here.
Researchers at Check Point have identified an advanced phishing campaign targeting diplomatic entities across Europe. According to Check Point’s April 15 report, the campaign is being carried out by the Russian state-sponsored threat actor APT29, also known as Midnight Blizzard and Cozy Bear. The newly identified campaign utilizes a new variant of WINELOADER and a new malware loader codenamed GRAPELOADER. The campaign functions by impersonating “a major European foreign affairs ministry to distribute fake invitations to diplomatic events—most commonly, wine tasting events.” Learn more.
On April 18, 2025, the Federal Bureau of Investigation (FBI) released a public service announcement warning of an ongoing fraud scheme in which scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees. According to the announcement, the FBI has received more than 100 reports of such impersonation scams between December 2023 and February 2025. The scammers have been observed impersonating IC3 employees while offering to assist victims of fraud. Read full article.
In an April 7 press release, Spain’s Policía Nacional announced the arrest of six individuals affiliated with a criminal organization behind a large-scale cryptocurrency investment scam that defrauded 19 million Euros from 208 victims worldwide. The joint Policía Nacional and Guardia Civil operation—dubbed “COINBLACK — WENDMINE”—began just over two years ago following the report of a victim in Granada being defrauded of €624,000. In addition to the six arrests, the operation also resulted in the seizure of “100,000 Euros, mobile phones, computers, hard drives, firearms, and documents.” Read full article.
The Sysdig Threat Research Team (TRT) has identified a new campaign carried out by the Chinese state-sponsored threat actor UNC5174 (also known as Uteus). In late January 2025, researchers observed the threat actor using VShell, a new open-source tool and command and control (C2) infrastructure, to infect Linux systems. The newly observed campaign also utilizes a variant of SNOWLIGHT malware. According to the report, the campaign has been active since at least November 2024. Learn more.
Products
Services
Use Cases