Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in Canada using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Arab Emirates using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Kingdom using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ hack, social, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United States of America using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Kuala Lumpur City Hall
May 1, 2025
•[ malware ]
Malaysias NACSA acknowledged an alleged malware incident at DBKL; City Hall said access to several online services was gradually restored from May 1 with full recovery targeted by late May.
Undisclosed private company in Granada
May 1, 2025
•[ malware, man-in-the-middle ]
Approximately 13,000 was stolen after malware infected the email account of a private company in Granada, Spain, allowing attackers to monitor correspondence and alter supplier payment instructions. Six individuals were arrested in Spain in connection with the man-in-the-middle fraud.
Pike County (via Ohio Valley Technologies)
April 28, 2025
•[ ransomware, malware, government ]
Third-party ransomware attack via OVT disclosed April 28 2025. Resulted in unauthorized access and exfiltration of Pike Countys sensitive data for over 33,000 individuals. No encryption of county systems was reported.
SK Telecom
April 19, 2025
•[ malware, data leak ]
Malware on internal servers enabled theft of USIM identifiers and related network data over an extended period.
Chile national football team (official YouTube channel)
April 18, 2025
•[ malware, account takeover ]
Hackers hijacked the Chile national football teams verified YouTube channel (~43,000 subscribers) for about 48 hours (April 1820 2025), replacing legitimate videos with gaming content embedding malware links and maintaining full administrative control until recovery.
Pepe memecoin website
April 12, 2025
•[ website compromise, phishing, malware ]
The official website for the Pepe (PEPE) memecoin was compromised in a front-end attack that redirected visitors to a malicious site. According to Blockaid and Cointelegraph reporting, the compromised front-end contained code associated with the Inferno Drainer family and redirected users to a fake site that injects malicious code intended to drain crypto wallets. Users were advised to avoid interacting with the site while the issue was being addressed; the reporting did not quantify how many users were affected or whether wallet losses occurred.
At least one individual in southeast Asia
April 12, 2025
•[ malware, fraud, financially motivated attack ]
A criminal threat group tracked as GoldFactory distributed malware targeting users in Southeast Asia, compromising endpoint devices to enable fraud and other financially motivated activity.
Synthient Stealer Log Threat Data
April 11, 2025
•[ hack, malware, technology ]
During 2025, Synthient aggregated billions of records of "threat data" from various internet sources. The data contained 183M unique email addresses alongside the websites they were entered into and the passwords used. After normalising and deduplicating the data, 183 million unique email addresses remained, each linked to the website where the credentials were captured, and the password used. This dataset is now searchable in HIBP by email address, password, domain, and the site on which the credentials were entered.
Great Plains Federal Credit Union
April 8, 2025
•[ malware, jackpotting ]
On April 8, 2025, two ATMs at Great Plains Federal Credit Union branches in Salina, Kansas, were compromised in a jackpotting incident; attackers installed malware on the ATM OS to force illicit cash dispensing. Amount stolen not disclosed; no data theft reported.
Ukrainian government and military entities
April 1, 2025
•[ malware, data leak, espionage ]
Russian FSB 18th Center for Information Security (Gamaredon) deployed updated GammaSteel malware to exfiltrate sensitive data from Ukrainian government and defense networks in an ongoing espionage campaign; no operational disruption reported.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Multiple e-commerce stores using Magento extensions
April 1, 2025
•[ supply-chain attack, malware, webshell ]
Supply-chain compromise of 21 Magento extensions backdoored since 2019, activated in April 2025; between 5001,000 e-stores impacted; at least one webshell observed.
Samsung Germany Customer Tickets
March 30, 2025
•[ leak, malware, technology ]
In March 2025, data from Samsung Germany was compromised in a data breach of their logistics provider, Spectos. Allegedly due to credentials being obtained by malware running on a Spectos employee's machine, the breach included 216k unique email addresses along with names, physical addresses, items purchased from Samsung Germany and related support tickets and shipping tracking numbers.
Undisclosed European drone manufacturer
March 25, 2025
•[ phishing, social engineering, malware ]
North Korean operators approached European defense engineers with fake job offers, delivering loaders that sideloaded ScoringMathTea and BinMergeLoader/MISTPEN to exfiltrate proprietary UAV designs and manufacturing know-how. Intelligence-collection focus; campaign targets several firms rather than one discrete victim record.
