Eastern Idaho College
May 30, 2025
•[ malware ]
Malware infection discovered around May 30, 2025 forced College of Eastern Idaho to shut down all computer systems, including internet and email services, for several days; operations gradually restored; no data theft or encryption reported.
West Texas Oral Facial Surgery
May 29, 2025
•[ hack, ransomware, leak ]
West Texas Oral Facial Surgery suffered a cyberattack beginning May 29, 2025, when INC RANSOM gained unauthorized access to its systems. Patient files including names, imaging data, and treatment reasons were exfiltrated, but no encryption of systems was reported. SSNs, financial information, and the electronic medical records system were not affected. The breach impacted over 11,000 individuals and was reported to HHS-OCR on August 2 and to the Texas Attorney General on August 4.
Multiple Thai bank ATMs
May 28, 2025
•[ skimming, malware ]
Police arrested a Bulgarian for allegedly installing devices/malware on ATMs; article cites arrests rather than a confirmed disruptive/theft effect on a named victim org. Not coded as a cyberattack event.
Operation Endgame 2.0
May 23, 2025
•[ ransomware, malware, government ]
In May 2025, a coalition of law enforcement agencies took down the criminal infrastructure behind the malware used to launch ransomware attacks in a new phase of "Operation Endgame". This followed the first Operation Endgame exercise a year earlier, with the latest action resulting in 15.3M victim email addresses being provided to HIBP by law enforcement. A further 43.8M victim passwords were also provided for HIBP's Pwned Passwords service.
ApolloMD (Business Associate to 11 Physician Practices)
May 22, 2025
•[ ransomware, malware, healthcare ]
ApolloMD confirmed unauthorized access to its network on May 2223 2025 affecting 11 affiliated physician practices. The Qilin ransomware group claimed to have stolen approximately 238 GB of data, including patient and insurance information. ApolloMD did not confirm encryption or ransom payment.
Independent film makers
May 21, 2025
•[ espionage, malware, government ]
While detained in May 2025, filmmakers phones were allegedly infected with FlexiSPY; forensic analysis ties installation to police custody (May 21). Devices were returned July 10. CPJ/Citizen Lab publicly detailed findings on Sept 1012; The Standard reported the allegations Sept 10.
Union County (Ohio) government / county systems
May 18, 2025
•[ ransomware, malware, government ]
A ransomware attack on Union County, Ohios public administration systems led to both encryption and data exfiltration. Data was stolen from internal government databases containing personal, financial, and biometric records of 45,487 individuals. Approximately 12 systems were encrypted, causing partial disruption for several days. No ransomware group has claimed responsibility.
PDI Health
May 14, 2025
•[ ransomware, leak, malware ]
On May 14, 2025, PDI Health discovered a cyberattack when the Everest ransomware group infiltrated its internal systems and exfiltrated sensitive patient records. The group leaked samples and claimed responsibility on the dark web, revealing more than 373,000 records stolen. No evidence of encryption or service disruption was confirmed.
Undisclosed U.S. government agency (reported as “Department of Government Efficiency”)
May 8, 2025
•[ infostealer, malware, credential leak ]
Ars Technica reports a government software engineers workstation was infected with info-stealing malware, with login credentials appearing in multiple stealer-log dumps since 2023; investigation centers on credential exposure rather than confirmed enterprise compromise.
Undisclosed U.S. government agency (reported as “Department of Government Efficiencyâ€Â)
May 8, 2025
•[ malware, infostealer, credential theft ]
Ars Technica reports a government software engineers workstation was infected with info-stealing malware, with login credentials appearing in multiple stealer-log dumps since 2023; investigation centers on credential exposure rather than confirmed enterprise compromise.
KazMunaiGas
May 5, 2025
•[ social, hack, phishing ]
A spear-phishing campaign disguised as internal HR communications delivered multi-stage malware to KMG employees. Attackers used a compromised business email, LNK downloader, PowerShell (DOWNSHELL), and DLL implant to establish reverse shell access. KMG later labeled it a phishing test.
Alcaldía de Cáchira
May 2, 2025
•[ malware, theft ]
Authorities arrested suspects accused of using malware to access municipal accounts and steal $1.935 million COP from the Cchira mayors office.
AlcaldÃÂa de Cáchira
May 2, 2025
•[ malware, financial theft, unauthorized access ]
Authorities arrested suspects accused of using malware to access municipal accounts and steal $1.935 million COP from the Cchira mayors office.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in Canada using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Arab Emirates using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Kingdom using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ hack, social, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United States of America using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Kuala Lumpur City Hall
May 1, 2025
•[ malware ]
Malaysias NACSA acknowledged an alleged malware incident at DBKL; City Hall said access to several online services was gradually restored from May 1 with full recovery targeted by late May.
