< Back
Weekly Summary Cyberattacks may 22-28
28 May 2025

Weekly Summary Cyberattacks may 22-28

DragonForce ransomware attack compromises managed services provider   

A cybercriminal group used DragonForce ransomware to attack a managed service provider (MSP) by exploiting vulnerabilities in the SimpleHelp remote management tool. The attackers gained access to multiple organizations through the MSP's RMM system, deploying the ransomware and stealing sensitive data as part of a double extortion strategy. According to researchers, vulnerabilities identified in January 2025 (CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728) were likely exploited. DragonForce, which operates under a Ransomware-as-a-Service model, has gained notoriety for its links to affiliates known as Scattered Spider. The attack was detected when a SimpleHelp software file was suspiciously installed through a legitimate instance operated by the MSP.  

MSHTA cyberattacks and obfuscation techniques to steal credentials on the rise  

A recent analysis has revealed an increase in the malicious use of mshta.exe, a legitimate Windows tool that has been exploited to execute remote scripts hidden behind layers of obfuscation. Although the attack was mitigated before the malicious code was fully executed, it allowed tracing a complex infection chain that included VBScript, PowerShell and multiple transformations such as Base64, XOR and hexadecimal encoding. The downloaded file pretended to be a harmless media file, but contained an infostealer designed to steal credentials from browsers, FTP clients and cryptocurrency wallets. The investigation evidenced advanced evasion techniques, such as the use of random variable names and in-memory payloads. This case highlights the importance of fully analyzing alerts, even when the attack attempt is not completed, to detect malicious infrastructure and improve response to future threats.  

New malware detected that uses ALCATRAZ obfuscator to avoid analysis   

Cybersecurity researchers have analyzed a new malware family called DOUBLELOADER, observed alongside the infostealer RHADAMANTHYS. This malware employs the open-source ALCATRAZ obfuscator, originally developed in the video game hacking community and now also used in cybercrime. DOUBLELOADER leverages Windows system functions to execute malicious code within the explorer.exe process, collecting system information and communicating with an encrypted IP. ALCATRAZ complicates analysis through techniques such as entry point obfuscation, instruction mutation, constant hiding, and control flow flattening. These techniques make the work of analysts difficult, as they disrupt decompilation and require manual interventions. Researchers have published tools to help decompile ALCATRAZ-protected binaries, facilitating their study and mitigation in security environments.  

Cybercriminals steal cryptocurrencies from Mac users with fake Ledger apps   

A series of malicious campaigns are affecting macOS users through fake apps that pretend to be the official software of Ledger, a well-known cold cryptocurrency wallet. These fraudulent apps are designed to trick users into entering their seed phrase, a combination of 12 or 24 words that allows them to regain access to digital assets. The attacks began in August 2024 and have evolved to include malware called “Odyssey,” which replaces the legitimate Ledger Live app and includes a phishing page with fake error messages. Experts remind that the seed phrase should only be entered on the physical Ledger device, never on apps or web pages.  

DragonForce escalates its offensive and sparks war between ransomware groups   

Cybercriminal group DragonForce has escalated its activity in 2025, not only attacking IT infrastructures and virtualized environments, but also openly confronting other ransomware groups. After relaunching in March as a “cartel,” DragonForce has adopted a more flexible affiliate model to attract partners and consolidate its presence in the cybercrime ecosystem. In addition to supplanting rival brands such as BlackLock and Mamona, it has been at odds with the RansomHub group, which it attempted to forcibly absorb. DragonForce has been linked to the GOLD HARVEST group (also known as Scattered Spider), responsible for sophisticated social engineering campaigns and the recent cyberattack on UK retailer Marks and Spencer. These attacks have highlighted the growing threat posed by alliances between decentralized criminal groups and the urgent need for companies to strengthen their technical and human defenses against increasingly deceptive and coordinated methods.