Threat Briefing: April 25, 2025

The ClickFix social engineering campaign has been employed by a range of cyber threat actors—including nation-state groups, ransomware operators, and other cybercriminals—as an effective method for gaining access to victim systems.

This week, Microsoft announced progress under its Secure Future Initiative, which was launched in response to the 2023 compromise of its systems. The initiative focuses on strengthening the security of both customer accounts and Microsoft’s internal engineering infrastructure.

• DragonForce and Anubis Ransomware-as-a-Service (RaaS) Update Business Models to Attract New Affiliates – DragonForce and Anubis, two RaaS operations, have updated their business models in an effort to attract more affiliates—moves that could also boost their market share and profits. DragonForce, which launched in 2023, recently rebranded itself as a “cartel,” offering affiliates access to its infrastructure and operational management tools. It provides flexibility by allowing affiliates to choose their own encryptor and build their own branding. Anubis, first identified in December 2024, offers affiliates three monetization options: 80% of proceeds from traditional ransomware encryption attacks, 60% from data extortion schemes, and 50% from basic access operations. The Record
• Microsoft Removes Over 500,000 Inactive Azure Tenants Since September 2024 as Part of the Secure Future Initiative (SFI) – As part of its Secure Future Initiative (SFI)—launched in response to the 2023 compromise of its Exchange Online environment by Chinese cyber threat actors—Microsoft has removed more than 6.3 million inactive Azure tenants, including over 500,000 since September 2024. To further strengthen security, Microsoft has migrated nearly 90% of its databases, storage accounts, cloud resources, and virtual machines to Azure Resource Manager, enhancing administrative visibility. The company has also reduced the number of admin roles within its engineering systems and enforced multi-factor authentication (MFA) for access to production code. Dark Reading
• 159 Vulnerabilities Exploited in the Wild During Q1 2025, Up From Previous Quarter – In the first quarter of 2025, researchers observed 159 vulnerabilities actively exploited in the wild—an increase from 151 in Q4 2024. Notably, over 25% of these vulnerabilities were exploited within 24 hours of public disclosure. Most of the exploited vulnerabilities targeted content management systems, followed by network edge devices and operating systems. Microsoft remained the top vendor associated with exploited vulnerabilities during the quarter. The Hacker News
• Interlock Ransomware Group Adopts ClickFix-Inspired Social Engineering Tactics – Interlock, a ransomware group that emerged in late 2024, has claimed approximately two dozen victims to date. The group relies heavily on social engineering, using fake browser downloads—posing as Google Chrome or Microsoft Edge—to trick users into initiating malware installations. Since early 2025, Interlock has expanded its tactics to include fake security updates for products like Palo Alto GlobalProtect, as well as deceptive CAPTCHA prompts linked to the ClickFix campaign. Additionally, the group has begun deploying two infostealers—LummaStealer and BerserkStealer—as part of its infection chain. SC Media
• SMS Phishing Kit Linked to Toll Fraud Campaign Active Since Late 2024 – A phishing kit, likely developed by a Chinese cyber threat actor, has been used in an ongoing toll fraud campaign since late 2024. The campaign has targeted individuals across eight U.S. states with text messages impersonating legitimate toll collection systems, urging recipients to click on a fraudulent link. Upon clicking the link, victims are directed to complete a CAPTCHA challenge before being taken to a spoofed payment page, where they are prompted to pay fictitious toll charges. The Hacker News