Threat Briefing: May 2, 2025

Cybercriminals often spend time setting up fake websites, gathering information, and planning clever ways to trick people. But sometimes, they act fast to take advantage of unexpected events. The recent power outage affecting Spain, Portugal, and parts of Europe presents an opportunity for threat actors to swiftly launch phishing campaigns under the guise of the crisis.

• Operator of Nemesis Market, a Dark Web Platform for Cybercrime, Indicted – Behrouz Parsarand, an Iranian national, has been indicted for launching Nemesis Market in March 2021. The dark web marketplace allowed cybercriminals to buy and sell malware, stolen financial data, and fake identification documents. During its operation, over 1,000 vendors used the platform, which served more than 150,000 users. In addition to cybercrime tools, Nemesis Market was also used to sell around $30 million worth of illegal drugs, including heroin, cocaine, and other controlled substances. U.S. Department of Justice
• Cybercriminals Stepping Up Scans for Cloud and Code Access Tokens – Cybersecurity researchers observed a spike in mid-April, with over 4,800 IP addresses involved in efforts to find exposed Git configuration files. These files can be valuable to cybercriminals because they may contain account credentials or access tokens that provide entry into cloud services and code repositories. Since December 2024, there have been four waves of scanning activity aimed at uncovering these types of secrets. The top countries associated with this activity include Singapore, the United States, and Germany. Bleeping Computer
• Cybercriminals Launch Phishing Scam Following Blackout in Spain and Portugal – Following the widespread blackout during the week of April 28, which also affected other parts of Europe, cybercriminals began a phishing campaign targeting people impacted by flight delays. The scam tricks victims by promising compensation under the European Union’s “Air Passenger Rights Regulation.” Victims are directed to a fake website—hosted on a compromised WordPress site—where they’re asked to provide personal or payment information, which is then stolen by the attackers. Dark Reading
• RansomHub Disappears, May Have Joined Forces with Other Ransomware Groups – RansomHub went offline on March 31, 2025, and may have merged with other ransomware operations. Reports suggest that internal conflicts between RansomHub administrators and their affiliates may have led some members to join the Qilin ransomware-as-a-service (RaaS) group. Meanwhile, the DragonForce RaaS group claims RansomHub has moved its operations to the platform used by DragonForce’s newly formed ransomware cartel. RansomHub first appeared in February 2024, following law enforcement takedowns of major ransomware groups AlphV and LockBit. Dark Reading
• “SessionShark” Phishing Kit Marketed as an Educational Tool to Bypass Microsoft MFA – SessionShark is an adversary-in-the-middle phishing-as-a-service kit designed to steal valid session tokens and bypass Microsoft multifactor authentication (MFA). Its developers claim the tool is intended for ethical hacking and say they will ban users found engaging in malicious activity. SessionShark is built to evade detection by threat intelligence tools and is compatible with Cloudflare, helping hide the attackers’ infrastructure. The developers also offer customer support through a Telegram channel. Dark Reading