Everest ransomware leaks Coca-Cola employee data: 1,104 files exposed, including HR, admin roles, IDs, personal details, and internal records.

On May 22, Hackread.com **reported** that Everest claimed responsibility for stealing data on 959 Coca-Cola employees, specifically across the Middle East, including the UAE, Oman, and Bahrain. Separately, another hacker group claimed to have stolen 23 million records from Coca-Cola Europacific Partners (CCEP).

Hackread.com can now confirm that the Everest ransomware group has leaked sensitive employee data stolen from the Coca-Cola Company. The data has been leaked on the Everest ransomware group’s dark web leak site as well as on the notorious Russian-language cybercrime forum XSS.

Screenshot credit: Hackread.com

The group has posted a 502 MB data dump, exposing Coca-Cola’s Middle East-specific internal and employee records. The leaked folder contains 1,104 files with information that includes:

*   Full names of employees
*   Business and home addresses
*   Family and marriage certificates
*   Copies of visas, passports, residency permits
*   Phone numbers, banking details, salary records
*   Employee personal and business email addresses

****What’s Inside the Leaked Files****

Among the exposed documents is an Excel file titled SuperAdmin_User_Account_Cocacola, detailing Coca-Cola’s internal administrative account structure and assigned roles. While it does not include passwords or direct login credentials, it outlines which accounts hold critical permissions, including system administrators, HR roles, and integration accounts. This makes it a useful map for threat actors, such as the recently **FBI-warned** Silent Ransom Group and others, aiming to exploit the company’s system hierarchy.

Another file, Emp Hierarchy Upload, lists:

*   Organizational hierarchy levels
*   Job titles and departmental details
*   Country-based manager structures
*   Employee usernames and full names
*   Reporting lines, showing who reports to whom

A third file, HRBP Upload, contains data on Coca-Cola’s HR Business Partner (HRBP) assignments, including:

*   Departmental functions
*   Employee IDs and full names
*   Assigned HRBP names and linked user IDs
*   Relationship start and end dates (with many set as open-ended)

Screenshot from the leaked data (Image credit: Hackread.com)

****Sensitivity of The Leaked Data****

While not all files contain direct access credentials, the combination of sensitive personal data, administrative structures, and internal HR mapping increases the cybersecurity risk profile for Coca-Cola. Such details can aid cybercriminals in several ways including:

*   **Spear-phishing attacks**, targeting specific individuals with crafted emails or messages
*   **Social engineering schemes**, using knowledge of internal relationships to impersonate executives, managers, or HR personnel
*   **Phone-based scams**, where attackers call employees pretending to be HR or IT staff, asking them to share system credentials
*   **Credential harvesting**, by directing employees to phishing websites disguised as official HR or IT portals
*   **Malware delivery**, where attackers pose as HR managers or support teams and trick employees into **installing malware** under the guise of a “remote access tool” or “required update”
*   **Mapping internal systems and roles**, helping attackers plan more precise future breaches, escalate privileges, or exploit admin-level access.

Additionally, the exposure of passports, visas, and banking details presents direct personal risks to affected employees, opening the door to identity theft, financial fraud, or cross-border privacy concerns.

It remains unclear whether there were any negotiations or communications between the Everest ransomware group and Coca-Cola regarding a ransom payment. So far, no details have emerged publicly about whether Coca-Cola engaged in talks, refused to pay, or is still assessing the situation internally. As with many ransomware cases, companies often withhold such information while investigations are ongoing or while working with law enforcement.

****Persistent Threat****

The Everest ransomware group has a history of leaking sensitive corporate data when ransom demands go unmet. While Coca-Cola has not yet issued a public statement regarding this leak, the scale and depth of the exposed data highlight the **growing danger posed by ransomware actors**, not just to company systems, but to the personal lives and security of employees.

Hackread.com will continue monitoring this developing story.

Everest Ransomware Leaks Coca-Cola Employee Data Online

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from…

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from the UAT-6382 threat group. Learn about the malware, affected organizations, and critical security patches.

Cisco Talos researchers have issued a critical alert regarding active cyberattacks targeting Trimble Cityworks, a widely used platform for managing public assets. According to Cisco Talos’ latest research, shared with Hackread.com, a sophisticated threat group, tracked as UAT-6382, is exploiting a newly discovered high-severity vulnerability CVE-2025-0994 in the system.

This vulnerability, having a CVSS score of 8.6, allows for remote code execution, meaning attackers can run their malicious programs on affected systems from afar. These attacks have been observed since January 2025 and primarily target local government organizations in the United States. Some attacks have already resulted in successful compromises.

The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have also released their warnings about this serious flaw. Reportedly, the vulnerability allows attackers to gain remote access and execute malicious code against Microsoft Internet Information Services web server without needing to authenticate. Cityworks vulnerability affects versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.

Once inside, UAT-6382 quickly deploys _web shells_ like AntSword and chinatso/Chopper on the compromised web servers to maintain hidden access. They also use custom-made tools, including a Rust-based loader called TetraLoader to install more persistent malware such as Cobalt Strike and VSHell.

> _“Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning in January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.”_
> 
> Cisco Talos

****Chinese-Speaking Actors Identified****

Based on their methods and tools, Cisco Talos’ report suggests with high confidence that UAT-6382 is a group of “Chinese-speaking threat actors.” Evidence supporting this includes the Chinese language found in the web shells and the fact that MaLoader, the framework used to build TetraLoader, is also written in Simplified Chinese. This malware builder, which emerged in December 2024, allows operators to package malicious code into Rust-based programs like TetraLoader.

MaLoader Builder Interface (Source: Cisco Talos)

Researchers noted that upon gaining access, the attackers show a particular interest in systems related to utility management. Their initial actions involve scanning the compromised server to understand its setup, looking for specific directories related to Cityworks, and then quickly setting up their web shells. They also stage sensitive files for potential data theft and deploy backdoors using PowerShell commands to ensure long-term access.

****Understanding the Malware****

TetraLoader’s main function is to inject various payloads into legitimate processes, such as notepad.exe. These payloads can be Cobalt Strike beacons, which are widely used by attackers for command and control, or VShell stagers.

For your information, VShell is a GoLang-based remote access Trojan that allows attackers to manage files, run commands, take screenshots, and set up proxy services on infected systems. Like other tools used by this group, the VShell control panels also display Chinese text, indicating the operators’ proficiency in the language.

Cityworks has released security patches to address the CVE-2025-0994 vulnerability, urging users to update immediately. Organizations should monitor suspicious activity using Cisco Talos’ technical indicators of compromise (IOCs). Cisco Talos also recommend the use of security products like Cisco Secure Endpoint, Secure Firewall, and Umbrella to protect against such attacks.

Chinese Hackers Exploit Cityworks 0-Day to Hit US Local Governments

Researchers have released PoC for CVE-2025-32756, a severe security flaw, that is actively being exploited in Fortinet products…

Researchers have released PoC for CVE-2025-32756, a severe security flaw, that is actively being exploited in Fortinet products like FortiMail and FortiCamera. This stack-based buffer overflow allows unauthenticated remote code execution.

A security vulnerability tracked as CVE-2025-32756 is currently being actively used by attackers, affecting several Fortinet products. The Fortinet Product Security Team discovered this vulnerability based on observed threat activity, which included network scanning, credential logging, and log file wiping.

Fortinet’s security team, FortiGuard Labs, then issued an alert on May 13, confirming they had seen this vulnerability being exploited in real-world attacks. A variety of Fortinet products are at risk, including FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice. On May 14, it was added to the CISA KEV catalogue.

Researchers at Horizon3.ai, including Jimi Sebree, have been investigating this flaw and published a basic proof of concept, a simple demonstration of how the vulnerability can be used. Their work shared with Hackread.com, involved looking at both patched and unpatched versions of FortiMail to pinpoint the exact location of the flaw.

They discovered the issue resides in a shared library and is related to how the system handles a specific session management cookie called APSCOOKIE, specifically an issue with decoding and handling the AuthHash field within this cookie. The vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.

****What’s the Problem?****

CVE-2025-32756 is basically a flaw in the admin API where the system tries to cram too much data into a limited space. When that happens, the extra data spills over into areas it shouldn’t, which can give attackers a way to sneak in their own malicious code, and they can do this without even needing a password.

This type of flaw is old, suggestive of hacking techniques from the 1990s. The severity of this issue, nonetheless, is extremely high, scoring 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), which measures the potential impact of security risks.

****Urgent Call for Updates****

Given that attackers are already using this vulnerability, and many vulnerable Fortinet systems are exposed on the internet, experts are strongly advising all users to update their products or apply recommended fixes as soon as possible.

FortiGuard Lab’s advisory provides detailed information on how to identify if a system is affected and what steps to take to protect against this serious threat. One suggested mitigation, if immediate patching is not possible, is to disable the HTTP/HTTPS administrative interfaces. Given the ease of exploitation, immediate action is crucial to protect affected systems.

Researchers Drop PoC for Fortinet CVE-2025-32756, Urging Quick Patching

FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks. The agency is also urges victims to share ransom evidence.

The FBI has issued a warning to US law firms about a rising cyber threat targeting the legal sector. A group known as Silent Ransom Group (SRG), also called Luna Moth or Chatty Spider, has been focusing its attacks on law firms since early 2023, using a combination of phishing emails and **social engineering calls** to gain access to sensitive legal data.

This group is no newcomer. Operating since 2022, SRG has a track record of targeting industries such as healthcare and insurance. But in recent months, law firms have become their top target, likely because of the sensitive client information these firms handle.

Back in November 2023, the **FBI issued an alert** highlighting SRG’s use of callback phishing to breach networks. In these attacks, the group sends phishing messages designed as unclickable images, often creating a false sense of urgency and providing a phone number for the recipient to call. This tactic bypasses traditional email security filters and lures victims into making contact, where the attackers then guide them into compromising their own systems.

****Their Tactics****

Aligning with their tickets, SRG’s new phishing campaigns are also deceptively simple. They send emails pretending to come from companies offering subscription services, warning the recipient about a small, questionable charge. To cancel, victims are instructed to call a number provided in the email. On that call, attackers convince the victim to download remote access software, giving SRG an entry point into the company’s systems.

However, what’s new about this campaign is that SRG has started calling employees directly, pretending to be from the company’s own IT department. They instruct the employee to join a remote session or visit a specific web page, again installing tools that give the attackers control. Once inside, they use tools like **WinSCP** or disguised versions of Rclone to quietly exfiltrate sensitive data.

After stealing the data, SRG sends ransom notes demanding payment to prevent the release or sale of the stolen information. Sometimes, they even follow up with phone calls to pressure companies into negotiations.

> _“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”_
> 
> The FBI

It is worth noting that the FBI’s alert came on the same day Cofense Intelligence’s May 2025 **report** revealed widespread abuse of Remote Access Tools (RATs) by cybercriminal groups. The report identified ConnectWise ScreenConnect as the most frequently abused RAT in 2025 attacks so far.

****Why Law Firms?****

Law firms make attractive targets because of the nature of their work such as confidential client details, corporate negotiations, and sensitive legal documents. A breach here doesn’t just threaten financial loss; it risks severe reputational harm.

However, it is not only recently that cybercriminals have been targeting law firms and the valuable information they hold. In April 2022, **researchers observed** scammers using AI-generated images to create fake law firm identities.

****Hard to Detect, Harder to Stop****

One reason SRG’s campaigns are effective is that they use legitimate system management and remote access tools, which are less likely to alert antivirus. Their attacks leave few traces, making post-attack investigations and protection more difficult.

This is why the FBI is urging everyone, including researchers and even victims, to share any ransom notes used by SRG during the attacks. If you have the phone number the group used to call, the wallet address they provided, or even voice call recordings, the FBI is seeking that information.

The FBI’s alert advised Network administrators to watch for unusual downloads of tools like Zoho Assist, **AnyDesk**, Splashtop, Syncro, or Atera, and to pay attention to unexplained external file transfers using WinSCP or Rclone.

Other red flags include unexpected emails about subscription renewals, strange calls or voicemails claiming data theft, and unsolicited contact from people claiming to be part of the company’s IT team.

> The Silent Ransom Group (SRG), aka Luna Moth or Chatty Spider, is targeting law firms. Tactics include IT social engineering calls and callback phishing emails to remotely access devices and steal data for extortion. Learn more about SRG’s IOCs and TTPs: https://t.co/ro96zjD1hA pic.twitter.com/pBAd89WaBJ
> 
> — FBI (@FBI) May 23, 2025

The FBI recommends paying strong attention to basic cybersecurity practices. This includes **training staff** to spot phishing attempts and social engineering tactics, and setting clear internal guidelines for how the IT team communicates with employees.

Additionally, using strong passwords along with two-factor authentication (2FA) across the organization and maintaining regular data backups can also help reduce the damage in case of a breach.

FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the…

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial.

A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts.

****How the Flaw Works****

The problem lies specifically within the CalendarInvite feature of Zimbra’s Classic Web Client interface. It happens because the system doesn’t properly check incoming information in the Calendar header of emails.

This oversight creates an opening for a stored XSS attack. This means an attacker can embed harmful code into a specially designed email. When a user opens this email using the classic Zimbra interface, the malicious code runs automatically within their web browser, giving the attacker access to their session. The severity of this vulnerability is rated as medium, with a CVSS score of 6.1. It affects ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).

****Widespread Exposure and Active Exploitation****

According to Censys, a cybersecurity insights firm, as of Thursday, May 22, 2025, when the original report was published, a significant number of Zimbra Collaboration Suite instances were exposed online that could be vulnerable.

Censys observed a total of 129,131 potentially vulnerable ZCS instances globally, with most found in North America, Europe, and Asia. A large majority of these are hosted within cloud services. Additionally, 33,614 on-premises Zimbra hosts were identified, often linked to shared infrastructure.

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on May 19, 2025, confirming it is actively being used by attackers.

****Possible Perpetrator?****

Security researchers from ESET have suggested that a well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), might be involved in exploiting it. ESET’s researchers suspect that the Sednit group could be exploiting this flaw as part of a larger scheme called Operation RoundPress, which aims to steal login details and maintain access to webmail platforms. While there is currently no public proof-of-concept (PoC) exploit, the active exploitation highlights the urgency for users to take action.

****Patching and Mitigation****

The good news is that patches are available for this vulnerability. Zimbra has addressed the issue in ZCS version 10.0.7 and 9.0.0 Patch 39. Users are strongly advised to update their Zimbra Collaboration Suite to these patched versions immediately to protect against potential attacks.

Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data. Discover the telco’s security upgrades & future plans after the massive breach.

A recent data breach at South Korean telecommunications giant SK Telecom was, reportedly, much more deeply rooted than initially thought, with the intrusion remaining hidden for nearly two years. The company announced on Monday that the malware has gone undetected since at least June 2022.

The attack, disclosed in April, affected a significant portion of SK Telecom’s 23 million customers, compromising personal and financial details. The Ministry of Science and ICT, along with a joint team of public and private investigators, revealed that the attack compromised a significant portion of SK Telecom’s user data.

Specifically, approximately 26.69 million International Mobile Subscriber Identity (IMSI) units were leaked. IMSI is a unique 15-digit or shorter number that identifies and authenticates each mobile subscriber. Moreover, investigators identified 25 types of malware and quarantined 23 affected servers, claiming that 9.82 gigabytes of USIM information were compromised.

****Responding to the Breach****

In response to the security lapse, SK Telecom has implemented a series of preventative measures. The company has temporarily stopped new subscriber sign-ups and initiated a nationwide program to replace SIM cards as a safeguard.

Furthermore, they have rolled out an upgraded fraud detection system, FDS 2.0, which uses a “triple-factor authentication” process to prevent unauthorized SIM and device cloning. This enhanced security is now automatically applied across their network.

SK Telecom has also emphasized that no actual customer damages or instances of “terminal cloning” have been reported so far and all attempts at phone or SIM card piracy are now blocked at the network level, with three layers of verification to confirm the legitimacy of the subscriber, SIM card, and device. The company has pledged to “take full responsibility for any damages” that may arise from the breach, offering to replace the USIM of all 25 million subscribers, including 2 million budget phone users, for free.

****National Security Concerns and Future Steps****

SK Group chairman Chey Tae-won issued an apology to customers earlier in May, highlighting the severity of the incident by stating it “needs to be looked at as a matter of national defence.”

The malware used in the attack is believed to be BPFdoor, which can bypass authentication. It is typically used by hacking groups linked to China. Although no specific group has claimed responsibility, the chairman’s concerns and the identified malware align with similar tactics observed in recent attacks on US telecom companies.

Beyond technical upgrades, SK Telecom is also enhancing customer support. Starting May 19, the company plans to offer “mobile service” visits to remote areas, explaining SIM protection services and providing on-site SIM replacements and resets. These efforts highlight the company’s commitment to rebuilding customer trust and strengthening cybersecurity to counter cybersecurity threats.

SK Telecom Uncovers Two-Year Malware Attack, Leaking 26M IMSI Records

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any…

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Learn about the BadSuccessor attack and mitigation steps.

A significant security flaw has been uncovered in Windows Server 2025, posing a serious threat to organizations utilizing Active Directory (AD). Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.

****The BadSuccessor Attack Explained****

According to Akamai’s research, shared exclusively with Hackread.com, the vulnerability exploits a new feature introduced in Windows Server 2025 called delegated Managed Service Accounts (dMSAs). For your information, dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to _inherit_ permissions from an older account it replaces.

However, Gordon’s research revealed a critical oversight in this process. Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

This deceptive act, dubbed _BadSuccessor_ by the researchers, allows the attacker’s dMSA to automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

****Widespread Impact and No Immediate Patch****

The implications of this discovery are far-reaching. Akamai’s analysis revealed that in 91% of tested environments, users outside the domain admins group already possessed the necessary permissions to execute this attack. This highlights the widespread potential for compromise across organizations that rely on Active Directory.

Even more concerning, Microsoft has acknowledged the issue after a report on April 1, 2025, but currently has no patch available. While Microsoft has assessed the vulnerability as Moderate severity, citing that initial exploitation requires existing permissions on a dMSA object, Akamai researchers strongly disagree.

They emphasize that the ability to create a new dMSA, a benign permission often granted to users, can lead to full domain compromise. They compare its impact to highly critical attacks like DCSync.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” researchers wrote in the blog post.

****Proactive Measures and Ongoing Risks****

With no immediate fix from Microsoft, organizations are urged to take proactive steps to reduce their exposure. Key recommendations include monitoring for new dMSA objects, modifying the msDS-ManagedAccountPrecededByLink attribute, tracking dMSA authentication events, and reviewing permissions on Organizational Units (OUs).

As Windows Server 2025 becomes more widely adopted, organizations must prioritize understanding and mitigating the risks associated with its new features.

BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.

****The Deception of Legitimate RATs****

Threat actors are leveraging the inherent trust in these tools to gain access to victim machines, researchers noted in the blog post shared with Hackread.com. Once installed, these legitimate RATs become a gateway for delivering further harmful programs, spying on user activities, or stealing sensitive information like passwords and confidential business records. The versatility of these tools, combined with their appearance of being trustworthy software, makes them a potent weapon in the hands of cybercriminals.

Cofense Intelligence highlighted several frequently abused legitimate RATs. ConnectWise ScreenConnect, previously known as ConnectWise Control and ScreenConnect, emerged as the most popular choice for attackers in 2024, appearing in 56% of active threat reports involving legitimate RATs.

“ConnectWise RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports (ATRs) with legitimate remote access tools in 2024,” wrote Kahng An from Cofense’s Intelligence Team in their report.

Its popularity is surging further in 2025, with current attack volumes already matching those seen throughout last year. Another tool, FleetDeck, saw a surge in use during the summer of 2024, particularly targeting German and French speakers with finance-themed lures.

****Common Attack Methods and Global Impact****

Attackers employ various methods to trick victims into installing these tools. For ConnectWise ScreenConnect, notable campaigns include spoofing the US Social Security Administration with emails falsely claiming to offer updated benefit statements.

Source: Cofense  

These emails often contain links to fake PDF files or directly to the RAT installer. Another tactic observed since February 5, 2025, involves emails pretending to be notifications about shared files on “filesfm,” leading victims to download a seemingly legitimate OneDrive client that is, in fact, the ConnectWise RAT installer.

According to Cofense, other legitimate RATs are also being exploited. Atera, a comprehensive remote monitoring and management suite that integrates with tools like Splashtop, has been used in campaigns targeting Portuguese speakers in Brazil with fake legal notices and invoices since October 2024.

Source: Cofense

Smaller, less common RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Connect, Mesh Agent, N-Able, and Teramind have also been observed in various, often localized, campaigns.

The ease and low cost of acquiring these tools allow attackers to quickly switch between different ones, posing a continuous challenge for cybersecurity protection, Cofense researchers concluded, adding that such campaigns are typically one-off events that are hard to sustain.

“These campaigns are generally one-off events and do not appear to be sustained over time. It is possible that the threat actors quickly pivot between different RATs because of the overall large number of different options that are available on the market.”

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Source

HackRead