< Back
A man who protects himself with a sword and shield.
28 March 2025

Weekly Summary Cyberattacks March 20-25

INTERPOL dismantles cybercrime networks in Africa with more than 300 arrested  

In an international operation led by INTERPOL, dubbed 'Operation Red Card', African authorities have arrested 306 suspects linked to cybercrime networks. Between November 2024 and February 2025, 1,842 devices used in mobile banking scams, investment fraud and messaging app scams were seized, affecting more than 5,000 victims. The operation involved seven countries: Benin, Ivory Coast, Nigeria, Rwanda, South Africa, Togo and Zambia. In Nigeria, 130 people were arrested for investment and online casino fraud, many hiding illicit gains in digital assets. In Zambia, 14 members of a hacker network were caught for stealing banking data through malicious links. In South Africa, 40 people were arrested in a SIM card fraud operation. Rwanda arrested 45 individuals linked to social engineering scams, causing losses of more than $305,000 in 2024. INTERPOL stressed that international cooperation is key to combating cybercrime, whose operations know no borders. This action follows others such as Operation Serengeti and Operation Africa Cyber Surge II, which have disrupted thousands of criminal networks across the continent.  

Global espionage campaign linked to Aquatic Panda  

A China-linked cyber-espionage group known as Aquatic Panda was behind a global espionage campaign that ran from January to October 2022. Seven organizations in several countries were targeted in this attack, including governments, NGOs and research centers in Taiwan, Hungary, Turkey, Thailand, France and the United States. This operation, dubbed FishMedley by ESET, involved the use of multiple malware families, such as ShadowPad, SodaMaster and Spyder. Aquatic Panda, also known as Bronze University and RedHotel, is a threat actor linked to the Winnti group (APT41) and is believed to operate under the supervision of Chinese contractor i-Soon. During the campaign, attackers used implants such as ScatterBee to distribute different types of malware, and new implants such as RPipeCommander, targeting a government entity in Thailand, were documented.  

New Ransomware-as-a-Service called VanHelsing discovered  

A new Ransomware-as-a-Service (RaaS) called VanHelsingRaaS has burst into the cybercriminal community since its launch on March 7, 2025. This model allows affiliates, from experienced hackers to novices, to execute attacks for a $5,000 deposit. Affiliates receive 80% of the ransom payments, while the main operators keep 20%. One of its key rules is not to attack Commonwealth of Independent States (CIS) countries. Researchers have identified two variants of this ransomware targeting Windows, although the program also offers options for Linux, BSD, ARM and ESXi. In less than two weeks, it has already infected at least three victims, demanding ransoms of up to $500,000 in Bitcoin. The malware is characterized by its rapid evolution and includes advanced tools such as an intuitive control panel and enhanced encryption.  

RansomHub employs new backdoor called Betruger  

An affiliate of the RansomHub ransomware group has begun using a new custom malware, called Betruger, in its attacks. It is a multi-functional backdoor specifically designed to facilitate the execution of ransomware attacks. Its capabilities include screen capture, keylogging, privilege escalation and credential exfiltration, allowing attackers to operate with greater stealth and efficiency. The use of proprietary malware in ransomware attacks is unusual, as most groups rely on legitimate tools and publicly available software. In addition, RansomHub affiliates have employed techniques such as Bring Your Own Vulnerable Driver (BYVOD) to disable security solutions and have exploited vulnerabilities in Windows and Veeam. RansomHub, operated by the Greenbottle Group, has grown rapidly since its emergence in February 2024, becoming the most active ransomware operation in the third quarter of that year. Its business model, which offers better terms to affiliates, has contributed to its expansion and the growing threat it poses in the cybercrime landscape.  

New infostealer called Arcane discovered  

An article has been published about a new infostealer malware called Arcane, which was discovered in late 2024 spreading via YouTube videos promoting video game cheats. This stealer is notable for the large amount of information it steals, including VPN credentials, game clients, messaging apps, cryptocurrency wallets and system details. It is distributed hidden in password-protected compressed archives, which users download believing they contain legitimate software. Arcane disables security measures in Windows, extracts data from browsers using advanced techniques and even captures Wi-Fi networks stored on the system. Soon after, cybercriminals launch ArcanaLoader, a fake download manager that supposedly offers cheats and cracks but actually infects victims with Arcane. Investigations point to Russian-speaking attackers, with most victims in Russia, Belarus and Kazakhstan. It is recommended to avoid suspicious software, be wary of links from unknown sources and use robust security tools.