< Back
Weekly Summary Cyberattacks
16 April 2025

Weekly Summary Cyberattacks april 10-16

Fake PDF converters spread malware that steals credentials and cryptocurrency   

A recent investigation has revealed a sophisticated malware campaign that uses fake PDF to DOCX converters to steal sensitive information. Impersonating the popular PDFCandy.com site, these fraudulent portals replicate its appearance and domain to trick users. When attempting to convert a file, the user is induced to execute PowerShell commands that install the ArechClient2 malware, part of the SectopRAT family, which specializes in stealing credentials, cryptocurrency wallets and other personal data. The threat, active for years, employs redirect chains disguised with shortened links and malicious files such as “adobe.zip”. The FBI already issued an alert last March 17, 2025, about such sites. Experts recommend using only official services, keeping security software up to date, and being wary of pages that ask you to execute commands or download files unexpectedly.  

New variant of ResolverRAT Trojan threatens healthcare and pharmaceutical industries   

Researchers have identified a new remote access Trojan (RAT) variant called ResolverRAT, characterized by advanced evasion techniques and in-memory execution. This malware stands out for its complex architecture, AES-256 encryption, execution without leaving a trace on disk, and sophisticated persistence and communication mechanisms. ResolverRAT spreads through multilingual phishing campaigns targeting corporate employees in several countries with alarming emails simulating legal investigations or copyright infringement. The Trojan employs DLL sideloading using legitimate applications, such as hpreader.exe, and is suspected of reusing tools seen in other malicious campaigns. Its command and control (C2) infrastructure includes embedded certificate validation, IP rotation and custom protocols, making it difficult to detect. This malware has been detected in recent attacks, especially targeting the healthcare and pharmaceutical sectors, which is evidence of a highly organized and persistent global operation.  

Hackers exploit critical flaw in WordPress plugin hours after disclosure   

A serious vulnerability in the WordPress plugin OttoKit (formerly SureTriggers) has been exploited by hackers just four hours after it was publicly disclosed. The flaw, identified as CVE-2025-3102, allows bypassing authentication and creating unauthorized administrator accounts, putting affected sites at risk. OttoKit, used on about 100,000 sites, connects tools such as WooCommerce and Google Sheets to automate tasks without programming. The flaw lies in the authenticate_user() function, which does not properly check for empty values if there is no API key configured. The company responsible released a security update (version 1.0.79) on April 3, the same day it received the technical report. However, many administrators had not yet applied the patch when the attacks began. It is recommended to update immediately and check logs for unauthorized access or suspicious accounts.  

Atlas Lion Cybercrime Group Hides Inside Cloud Networks During Gift Card Fraud Attacks   

Expel and Microsoft Threat Intelligence reported a campaign by Atlas Lion, a Moroccan cybercriminal group focused on financial fraud against major retail and hospitality chains. Using SMS phishing tactics (smishing), the group targeted employees with fake helpdesk messages, capturing credentials to infiltrate enterprise environments. Once inside, Atlas Lion registered virtual machines (VMs) that blended into the legitimate infrastructure. These VMs were used to access internal gift card systems and generate or redeem fraudulent cards, often bypassing security checks. In one instance, the attackers caused daily losses of over $100,000. Despite being briefly blocked due to suspicious IP activity, Atlas Lion returned with improved techniques after studying internal documentation found within the compromised networks. They demonstrated knowledge of identity governance tools and device management policies, suggesting the use of human operators in a semi-automated setup. Their operations show a hybrid approach combining social engineering, cloud exploitation, and internal reconnaissance.  

AkiraBot: an automated threat that dodges CAPTCHAs and launches massive AI-powered spam campaigns   

Recent research has revealed the workings of AkiraBot, a sophisticated automated framework that has managed to send personalized spam messages to more than 80,000 websites since September 2024, targeting more than 420,000 in total. This bot, designed in Python, uses the OpenAI API to generate specific messages based on the content of the targeted website, in order to promote disreputable SEO services. Its modular architecture allows it to evade CAPTCHA filters, mimic legitimate browsing via scripts in headless browsers and hide its traffic through proxies. AkiraBot has evolved to attack not only contact forms but also live chat widgets such as Reamaze. In addition, it uses Telegram channels to monitor its performance and coordinate functions such as IP rotation. Impersonating fake reviews to gain legitimacy, the framework and its associated domains have been linked to deceptive practices, suggesting a well-structured operation focused on abusing AI tools for malicious purposes.