The Good, the Bad and the Ugly in Cybersecurity – Week 20

May 21, 2025, 8:49 p.m.

Description

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unicode and Google Calendar. The most concerning development involves cyberspies exploiting a zero-day vulnerability in Output Messenger to target Kurdish military users in Iraq, showcasing increased capabilities of the Marbled Dust threat group.

External References

https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-20-6
https://otx.alienvault.com/pulse/682768bfc09a2c586edd469a
Tags
ransomware
zero-day
botnet
npm
dns hijacking
dark web
CVE-2025-27920
omserverservice.exe
omclientservice.exe
output messenger
2025-05-16
kurdish military
doppelpaymer

Date

  • Created: May 16, 2025, 4:33 p.m.
  • Published: May 16, 2025, 4:33 p.m.
  • Modified: May 21, 2025, 8:49 p.m.

Indicators

  • api.wordinfos.com
Download all indicators here!

Attack Patterns

  • DoppelPaymer
  • Marbled Dust

Additional Informations

  • Technology
  • Defense
  • Government
  • Kosovo
  • Iraq
  • Moldova, Republic of
  • United States of America

Linked vulnerabilities

CVE-2025-27920

9.8
    Output Messenger
  • Output Messenger
Published: May 5, 2025