Law Enforcement Disrupts Initial Access Malware Strain
An international law enforcement operation coordinated by Europol and Eurojust has dismantled infrastructure used by popular initial access malware strains. The operation targeted Qakbot, Trickbot, Bumblebee, Lactrodectus, Hijackloader, DanaBot, and Warmcookie. Europol notes that these malware strains are frequently used to stage ransomware: "From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
Marks & Spencer Expects to Lose Over $400 Million
Due to Cyberattack
British retailer Marks & Spencer (M&S) expects the cyberattack the company sustained last month to cause losses of around £300 million ($402 million), nearly one-third of the company's annual profits, CNBC reports. The retailer doesn't expect to fully recover from the incident until July.
M&S's CEO Stuart Machin disclosed that the hackers gained access through a third-party contractor, stating, "Unable to get into our systems by breaking through our digital defences, the attackers did try another route resorting to social engineering and entering through a third party rather than a system weakness." Reuters cites a source as saying this contractor was Tata Consulting Services, which M&S uses for helpdesk support.
BleepingComputer says the incident was a ransomware attack in which "threat actors used a DragonForce encryptor to encrypt virtual machines on VMware ESXi hosts."
Russian GRU Targeting Western Logistics Entities
and Technology Companies
On May 21, 2025, CISA, along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners from Australia, Canada, New Zealand, and the United Kingdom, issued a joint cybersecurity advisory detailing malicious cyber activities by Russia’s GRU (Military Unit 26165), commonly known as APT28 or Fancy Bear.
APT28, a well-known Russian state-sponsored threat actor, has been conducting a persistent cyber espionage campaign against organizations in the United States and allied countries. The focus of this campaign includes:
- Targeted Entities: Primarily U.S. and foreign government organizations, logistics firms, transportation entities, and technology providers involved in supporting Ukraine amidst ongoing geopolitical conflict.
- Espionage Goals: Intelligence collection related to aid shipments to Ukraine, particularly through cyber access to organizations that coordinate or support such logistics.
APT28 leverages known but effective techniques to gain and maintain access:
- Password Spraying: Attempting to authenticate into accounts using commonly used passwords across multiple usernames.
- Spearphishing Emails: Sending targeted emails designed to trick recipients into providing credentials or downloading malware.
- Exploitation of Microsoft Exchange: Modifying mailbox folder permissions to maintain persistent access and covertly monitor communications.
- Surveillance of Border Activity: The actors were observed accessing compromised IP-based surveillance cameras near Ukrainian border crossings, likely to monitor the movement of aid and supplies.
The advisory stresses that these operations represent a continuation of a broader Russian strategy to collect intelligence on countries supporting Ukraine. By compromising logistics and infrastructure entities, the GRU seeks to gather situational awareness, potentially to undermine aid efforts or prepare for further disruptive activities.
CISA and its partners recommend that all potentially affected or at-risk organizations:
- Conduct proactive threat hunting for indicators of compromise (IOCs) outlined in the advisory.
- Assume they may be a target if they provide logistical, technological, or governmental support to Ukraine.
- Implement robust authentication measures, monitor for abnormal mailbox access permissions, and follow mitigation guidance provided in the advisory.
Most Top CISA Officials Are Losing Their Jobs
Nearly all senior officials at the US Cybersecurity and Infrastructure Security Agency (CISA) will be let go by the end of the month, Cybersecurity Dive reports. The agency's deputy director, Madhu Gottumukkala, informed employees in an email that the leaders of five of CISA's six operational divisions and six of its ten regional offices will have lost their jobs by May 30th.
Bridget Bean, the agency's executive director, said in a statement, "CISA is doubling down and fulfilling its statutory mission to secure the nation’s critical infrastructure and strengthen our collective cyber defense. We were created to be the cybersecurity agency for the nation, and we have the right team in place to fulfill that mission and ensure that we are prepared for a range of cyber threats from our adversaries."
The widespread cuts have raised concern among some CISA employees. One anonymous employee told Cybersecurity Dive, "With [this] significant number of senior departures, several of which are leaders who have been here since the days of US-CERT, there’s a lot of anxiety around when the cuts and departures will finally stop and we can move forward as an agency."
iClicker Website Compromised to Deliver Malware
The website of iClicker, a popular student response and classroom engagement platform, was compromised to display a ClickFix social engineering attack designed to trick users into installing malware, BeyondMachines reports. ClickFix is a technique that silently copies a malicious command to the Windows clipboard, then instructs users open a Run prompt, press Ctrl-V to paste, and hit Enter to run the command. In this case, the attack posed as a phony CAPTCHA verification prompt.
iClicker's site was compromised between April 12th and April 16th. Users who visited the site during that time and followed the directions of the fake CAPTCHA should be aware that they were likely infected.
