Cyber Briefing: 2025.05.01

Ransomware, and phishing threats reveal hidden backdoors, update abuse, and global attacks across WordPress, healthcare, routers, and critical infrastructure systems worldwide.

May 01, 2025

Listen to our podcast here!

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this?

👉 What's going on in the cyber world today?

Get Help

🚨 Cyber Alerts

1. Malware Hides in WordPress Security Plugin

A new malware campaign is covertly targeting WordPress sites through a malicious plugin disguised as a security tool. The plugin gives attackers full administrator access, remote code execution, and the ability to inject JavaScript, all while staying hidden from the dashboard. It reactivates automatically via a modified wp-cron.php file even if deleted, ensuring persistent control. Wordfence urges site owners to examine files like wp-cron.php and header.php for unexpected changes and to review access logs for suspicious parameters such as emergency_login and check_plugin.

2. Spellbinder Tool Used to Abuse App Updates

A China-linked APT group known as TheWizards was linked to a lateral movement tool named Spellbinder. The tool enables IPv6-based adversary-in-the-middle attacks that hijack DNS and software update mechanisms. It abuses updates from Chinese apps like Sogou Pinyin and Tencent QQ to deploy malware such as WizardNet. The malware campaign also involves Android-targeting payloads tied to a Chinese contractor, suggesting organized backing.

3. Nitrogen Ransomware Deploys Cobalt Strike

The Nitrogen ransomware campaign leverages deceptive malvertising strategies to infect organizations. Attackers distribute counterfeit software, like a fake “WinSCP” installer, through malicious ads on platforms like Bing. This triggers DLL sideloading that leads to the installation of ransomware and Cobalt Strike for lateral movement. Forensic analysis reveals sophisticated evasion techniques and highlights the need for improved defenses against such advanced threats.

For more alerts click here!

Check Jobs

💥 Cyber Incidents

4. Ascension Data Breach Hits Patients Again

Ascension Health disclosed a data breach affecting over 100,000 individuals through a former business partner’s compromised system. Hackers exploited software vulnerabilities in Cleo’s file transfer platform used by the unnamed partner. The Clop ransomware group likely stole names, Social Security numbers, contact details, diagnoses, and inpatient records. The breach impacted patients in Alabama, Michigan, Indiana, Tennessee, and Texas. Notifications sent to authorities confirm more than 114,700 people were affected.

5. Co-operative Group Reports Cyber Incident

UK retail giant The Co-operative Group reported it took some IT systems offline after detecting attempted cyber intrusions. The company said it acted proactively to protect internal systems, which led to disruptions in back-office operations and call center services. Despite the attack, all Co-op retail stores remain fully operational, and customers are not being asked to take any special measures. While the company is working with the UK’s National Cyber Security Centre, it has not disclosed the nature of the attack or whether customer data was compromised.

6. Poland’s State Registers System DDoS Attack

Poland's State Registers System was targeted by a DDoS attack yesterday morning, temporarily disrupting services. The cybercriminals aimed to paralyze key systems on a crucial day for tax submissions and public registrations. The Ministry of Digital Affairs confirmed the attack but assured that no security breaches occurred, and no personal data was compromised. Temporary difficulties affected services like mObywatel, tax settlements, and car registrations, but all services are now operational. The Cyber Police and the Internal Security Agency are actively investigating the incident, with officials noting that Poland faces frequent cyberattacks, often from Russian sources.

For more incidents click here!

Report Incident

📢 Cyber News

7. US Advances Bill to Assess Router Security

The US House of Representatives passed the ROUTERS Act, focusing on security risks from foreign-made routers. The bill mandates the Commerce Department to investigate networking equipment from adversarial nations, with a focus on China. It aims to protect US communication systems from vulnerabilities exploited in cyberattacks. The act follows increasing concerns about the role of routers in cyber intrusions by state-backed act

8. Oasis Propose Standardize Product Lifecycles

A coalition of tech giants including Cisco, Microsoft, and IBM has introduced OpenEoX. This draft framework aims to standardize end-of-life (EoL) notices for software and hardware products. By defining four key lifecycle milestones, OpenEoX hopes to make security patch tracking more consistent and automated. The initiative, which is still in early stages, seeks public feedback before finalizing the proposal into a formal standard.

9. FBI Dismantled LabHost’s PhaaS Network

The FBI dismantled LabHost’s phishing-as-a-service network, uncovering 42 000 malicious domains used from 2021 to 2024. The PhaaS platform let criminals impersonate banks, government sites, and streaming services to harvest credentials and credit card data. Investigators estimate over one million victims fell prey to LabHost schemes, which also supported smishing and real-time 2FA interception. The FBI advises reviewing logs for domain connections, blacklisting indicators of compromise, and reporting threats to local field offices.

For more news click here!

📈Cyber Stocks

💡 Cyber Tip

Scan WordPress Sites for Malicious Plugins Disguised as Security Tools

A new malware campaign hides in fake WordPress security plugins, giving attackers full admin access and persistent control via modified system files.

✅ Actions You Should Take:

Audit installed plugins – Remove any unfamiliar or recently added plugins, especially those not from trusted sources.
Check wp-cron.php and header.php – Look for suspicious code or changes that could indicate backdoor activity.
Monitor login activity – Review access logs for unusual parameters like emergency_login or check_plugin.

Why it matters: These stealthy plugins can survive deletion and grant attackers long-term access to your site, posing serious risks to your users, data, and reputation.