Cyber Briefing: 2025.05.21

Hazy Hawk hijacks DNS, More_Eggs hits HR, and fake Kling AI spreads malware. Cellcom, Kettering, and Peter Green suffer attacks, as the Dutch pass spy laws and LEV predicts future exploits.

May 21, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Hazy Hawk Hijacks Cloud DNS For Web Scams

Threat actor Hazy Hawk hijacks abandoned cloud resources of major organizations using DNS CNAME misconfigurations. These reputable hijacked domains are then used for adtech scams and malware distribution not espionage. The attacks involve cloning sites luring users and funneling them via traffic distribution systems. Domain owners should remove old CNAME records while users must deny unknown website notification requests.

2. Venom Spiders More Eggs Malware Hits Hiring

The More_Eggs JavaScript backdoor by Venom Spider targets corporate HR departments via fake job application emails. Distributed as Malware-as-a-Service it uses malicious LNK files in ZIPs to deploy the backdoor. This polymorphic malware achieves persistence and uses living-off-the-land techniques abusing legitimate Windows files. Its final JavaScript payload employs advanced anti-analysis and server-side polymorphism to evade detection.ents. This update comes as Windows 10 nears its October 2025 end of support urging migration to Windows 11.

3. Fake Kling AI Sites Spread Malware To Users

A phishing campaign created fake Kling AI sites using Facebook ads to deliver malware to users. Victims were lured to spoofed pages and tricked into downloading malware disguised as AI generated media. The attackers used filename masquerading and anti analysis techniques deploying PureHVNC RAT as the payload. This RAT steals cryptocurrency wallet data with evidence suggesting possible links to Vietnamese threat actors.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Cellcom Cyberattack Causes Service Outage

Wisconsin's Cellcom confirmed a cyberattack caused widespread voice and SMS outages starting May 14th. The CEO stated protocols were followed, experts engaged and no personal data was compromised. Users experienced significant service disruptions while Cellcom began partial service restoration on May 19th. Cellcom estimates full service restoration by this week's end and advises users on recovery steps.

5. UK Peter Green Chilled Hit By Ransomware

U.K. refrigerated goods supplier Peter Green Chilled suffered a ransomware attack disrupting supermarket supplies. The attack impacted IT order systems with customers warned of potential product spoilage. This incident follows other British retail sector attacks renewing calls for tougher government ransomware action. While U.K. ransomware attacks rise experts suggest hacking back gangs amid concerns of underreporting.

6. Ohio Kettering Health Faces Cyberattack

Ohio's Kettering Health network suffered a cyberattack Tuesday causing a system wide outage and procedure cancellations. The CEO confirmed the attack stating no personal data was compromised but warned of scam calls. The Interlock ransomware gang is likely responsible for this attack which hit critical patient care systems. While emergency services are open Kettering Health is working to restore full operations by weekend.

For more incidents, click here!

Check Tools

📢 Cyber News

7. New Dutch Law Targets Wider Cyber Espionage

The Dutch government passed a new law criminalizing broader espionage including digital forms with harsher penalties. This law effective May 15 extends beyond state secrets to acts harming Dutch interests for foreign powers. It specifically targets modern threats like digital diaspora economic espionage and political manipulation. This legislative update aims to bolster Dutch national security against rising foreign cyber threats.

8. NIST CISA New Metric Predicts Exploit Risk

NIST and CISA researchers developed a new security metric called Likely Exploited Vulnerabilities (LEV) to predict vulnerability exploitation. This metric augments EPSS and CISA's KEV catalog addressing their known inaccuracies and comprehensiveness issues. LEV identified hundreds of vulnerabilities with high exploitation probability, many not on KEV lists. While KEV lists known exploits, LEV helps compute future risks and researchers seek industry partners.

9. Teen Hacker Admits PowerSchool Cyberattack

A 19-year-old student from Worcester, Massachusetts, pleaded guilty to a major cyberattack. The attack targeted PowerSchool, compromising data of over 70 million students and teachers. Lane accessed PowerSchool using credentials stolen from a telecom contractor in 2022. After demanding millions in ransom, he also tried extorting individual school districts.

For more news, click here

Check Events

📈Cyber Stocks

On May 20, 2025, Zscaler fell 0.25%, CrowdStrike Holdings dropped 0.47%, while Palo Alto Networks, Fortinet, and SentinelOne posted modest gains under 0.5%.

💡 Cyber Tip

Be cautious with push notifications and suspicious links.

A threat actor named Hazy Hawk is hijacking abandoned cloud services and using trusted domains to host fake ads, scams, and malware. These attacks make scam websites look legitimate by using known names.

✅ What you should do

Never allow push notifications from websites you do not fully trust. Always click “Block” if a site prompts you unexpectedly.
Avoid clicking on links in shady ads, pop-ups, or offers for pirated software, even if they appear to come from well-known sources.
Use a trusted browser extension or ad blocker to reduce exposure to malicious advertisements.
Stay alert when a website redirects you or shows many pop-ups and requests. These are often signs of a scam.

✅ Why this matters

Cybercriminals are taking over abandoned domains to make their fake websites appear trustworthy. One careless click can expose you to malware, fake apps, or endless scam notifications.