Sign in Subscribe

Friday Edition – Threat Actor Activity – 06/06/25

At a Glance

  • North Korea / Play Ransomware – Over 900 organizations across the Americas and Europe compromised this week, including critical infrastructure, via double-extortion attacks.
  • China / DragonForce – Marks & Spencer suffered a £300M-impact ransomware attack; attackers directly emailed executives with racist threats and ransom demands.
  • Iran / BladedFeline (OilRig subgroup) – Long-running cyberespionage campaign targeting Kurdish and Iraqi officials, attributed to Iranian state-backed actors.
  • India / Bitter APT – New evidence links the Bitter APT group to the Indian government, with cyber-espionage operations targeting government and defense organizations across Asia, Europe, and South America.
  • Russia / GRU – Ongoing cyber campaigns targeting Western logistics and technology firms, including those assisting Ukraine, as part of broader geopolitical objectives.

Key Threat Developments

Nation-State Actors

  • North Korea / Play Ransomware – The FBI and CISA have issued a joint advisory highlighting a surge in Play ransomware attacks, impacting over 900 organizations across North and South America and Europe. The group employs a double extortion model, encrypting systems after data exfiltration.
  • China / DragonForce – Marks & Spencer, a major UK retailer, suffered a significant ransomware attack attributed to the Chinese-linked group DragonForce. The most insane part of this being the message that was sent, on the day that I'm writing this which is remarkably vile and offensive sent straight to the CEO's email inbox. I won't repeat what was said here but feel free to find out for yourselves.
  • Iran / BladedFeline (OilRig subgroup) – A cyberespionage group with suspected ties to Iran has been targeting Kurdish and Iraqi government officials in a years-long campaign. The group, dubbed BladedFeline, is believed to be a subgroup of the Iranian state-backed actor OilRig.
  • India / Bitter APT – Researchers have uncovered new evidence linking the long-running threat actor known as Bitter to the Indian government. The group has been involved in cyber-espionage operations targeting government and defense organizations across Asia, Europe, and South America.
  • Russia / GRU – The National Security Agency (NSA) and allied entities have released a Cybersecurity Advisory highlighting Russian GRU's cyber campaigns targeting Western logistics entities and technology companies, including those involved in providing assistance to Ukraine.

Cybercriminal Groups

  • Play Ransomware – The Play ransomware group continues to impact critical infrastructure entities, employing a double extortion model and threatening to publish exfiltrated data on their leak site if ransom demands are not met.
  • SafePay and DevMan – SafePay has emerged as a major ransomware threat, taking the top spot among ransomware groups in May 2025. Overall, ransomware groups claimed 384 victims in May, marking the third straight monthly decline.
  • Fog Ransomware – Initially targeting U.S. higher education institutions, Fog ransomware has expanded its reach to include sectors such as business services, manufacturing, finance, government, and technology. The group typically gains initial access through compromised VPN credentials and exploits vulnerabilities in VPN gateways.
  • Emerging Ransomware Groups – Seven new ransomware groups have surfaced with active leak sites and confirmed victim postings, including Silent Ransomware, Gunra Ransomware, JGroup Ransomware, IMN Crew, DireWolf Ransomware, DataCarry Ransomware, and SatanLock Ransomware.

Victimology & Impact

  • Retail Sector – Marks & Spencer and other UK retailers have been targeted by ransomware attacks, leading to significant operational disruptions and financial losses. This is still a major issue for M&S even weeks after the initial ransomware with 300M estimated profit losses.
  • Critical Infrastructure – Over 900 organizations, including critical infrastructure providers across North and South America and Europe, have been compromised by Play ransomware attacks.
  • Government Officials – Kurdish and Iraqi government officials have been targeted in a long-running cyberespionage campaign attributed to Iranian state-backed actors.

Tactics & Techniques Observed

  • Double Extortion – Play ransomware employs a double extortion model, encrypting systems after exfiltrating data and threatening to publish the data if ransom demands are not met.
  • Credential Theft & Lateral Movement – Fog ransomware operators use tools like Cobalt Strike and Mimikatz to escalate privileges and move laterally within networks, leveraging techniques such as pass-the-hash attacks and credential extraction.
  • Phishing & Exploitation – RansomHub operators have been observed leveraging phishing attacks, password spraying, and exploitation of CVEs for initial access, followed by reconnaissance using tools like AngryIPScanner and Nmap.

Indicators of Compromise (IOCs)

  • Play Ransomware – Contact emails ending in @gmx[.]de or @web[.]de; data leak site on the Tor network.
  • Fog Ransomware – Use of Cobalt Strike, Mimikatz, PsExec, and RDP for lateral movement; exploitation of VPN vulnerabilities.

Mitigation & Recommendations

  • Patch & Update – Apply the latest security patches, especially for VPN gateways and remote access tools, to mitigate vulnerabilities exploited by ransomware groups.
  • Improve Defenses – Implement multi-factor authentication (MFA) and network segmentation to limit lateral movement within networks.
  • Detection & Monitoring – Monitor for unusual network activity, use of known malicious tools, and connections to suspicious domains or IP addresses.
  • User Awareness – Educate employees on phishing tactics and encourage reporting of suspicious emails to prevent credential theft.