SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
EncryptHub unmasked
The threat actor known as EncryptHub (aka Larva-208) appears to be a Ukrainian national who has been involved in cybercrime activities while trying to find a legitimate job, according to Outpost24. Poor OPSEC enabled Outpost24 researchers to track the man’s life in recent years, but they have not made his name public. He was recently credited by Microsoft for responsibly disclosing two vulnerabilities.
Neptune RAT steals passwords from 270 applications
Cyfirma has analyzed Neptune RAT, a remote access trojan targeting Windows systems with destructive capabilities and the ability to steal passwords from over 270 applications. The malware uses various persistence methods and anti-analysis techniques, and it also packs ransomware, cryptocurrency clipper, desktop monitoring, and anti-antivirus capabilities.
Google details Russian espionage aimed at Europe
Google Cloud has shared details on the tactics and techniques of UNC5837, a Russia-linked threat actor, in cyberespionage attacks aimed at government and military organizations in Europe. Google’s report focuses on how the attackers leveraged lesser-known RDP features to gain access to victims’ devices and exfiltrate data. The campaign was previously analyzed by Microsoft and AWS.
WK Kellogg data breach
Food giant WK Kellogg is notifying employees that their information may have been compromised in the Cleo attack conducted by the Cl0p ransomware group. It’s unclear how many people are impacted by the data breach, but the number may be low. In Maine, for instance, only one impacted individual has been identified.
Rydox cybercrime marketplace admins extradited to US
Kosovo nationals Ardit Kutleshi and Jetmir Kutleshi have been extradited from Kosovo to the United States, where they face identity theft, money laundering, and access device fraud charges related to their alleged roles as administrators of the Rydox cybercrime marketplace, which authorities disrupted late last year.
Significant healthcare data breaches
Two more relatively significant healthcare data breaches came to light recently. Mercer County Joint Township Community Hospital is notifying 88,000 people that their personal information, including SSNs and financial information, may have been stolen in a cyberattack that took place in April 2024.
The second involves Central Texas Pediatric Orthopedics, which was recently targeted by the Qilin ransomware group. An investigation showed that the cybercriminals managed to steal personal and health information belonging to 140,000 people.
Governments detail spyware targeting Uyghur, Taiwanese and Tibetan groups
Government agencies in the UK, US, Germany, Canada, Australia, and New Zealand have published a joint report detailing BadBazaar and Moonshine, two pieces of spyware used in attacks aimed at Uyghur, Taiwanese and Tibetan groups. Unsurprisingly, the malware has been attributed to Chinese state-sponsored threat actors.
Splunk and Palo Alto Networks patches
Splunk has published 15 advisories describing the third-party package updates of April 2025. The updates mostly address critical- and high-severity vulnerabilities in Juniper, Microsoft, Symantec, and other components.
Palo Alto Networks has published nearly a dozen new advisories. A majority of them address medium- and low-severity issues affecting Cortex XDR, PAN-OS, Prisma and GlobalProtect products. The security holes can allow command injection, DoS attacks, information disclosure, user impersonation, and privilege escalation. The security giant says there is no evidence of in-the-wild exploitation.
Scattered Spider still active despite arrests
Despite several of its members being arrested and prosecuted, the Scattered Spider cybercrime group is still active. According to Silent Push, the hackers this year have targeted services such as Klaviyo, HubSpot, and Pure Storage, as well as brands such as Chick-fil-A, Forbes, Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, X, Tinder, T-Mobile, and Vodafone.
Fortinet says hackers exploiting known vulnerabilities with new techniques
Fortinet has informed customers that threat actors have been observed exploiting known vulnerabilities “with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down”. The company’s investigation determined that the attacks were not aimed at a specific region or sector.
Related: In Other News: Hellcat Hackers Unmasked, CrushFTP Bug Controversy, NYU Hacked
Related: In Other News: Apple Improving Malware Detection, Cybersecurity Funding, Cyber Command Chief Fired