Threat Briefing: May 23, 2025

Lumma Stealer, one of the most prevalent information-stealing malware variants, was disrupted this week through a coordinated effort between Microsoft and multiple government agencies, including those in the United States. The operation successfully seized infrastructure and domains used to distribute the malware.

Lumma was commonly used to harvest credentials from victims, which were then sold or leveraged for further attacks, including ransomware campaigns.

While this disruption is a significant setback for Lumma Stealer, it’s likely that another malware strain will rise to take its place. This development underscores an ongoing truth in cybersecurity: law enforcement efforts can disrupt threat actors, but new threats are constantly emerging. Staying informed and vigilant remains critical for security teams.

• Microsoft and Global Law Enforcement Disrupt Lumma Stealer, Seizing Over 2,300 Malicious Domains – In a major blow to cybercrime operations, Microsoft, working alongside multiple law enforcement agencies, has disrupted the infrastructure supporting Lumma Stealer, a prolific information-stealing malware. Through legal action and court orders, over 2,300 malicious domains tied to the malware’s operations were seized, effectively severing key components of its distribution network. Lumma Stealer has been widely used to compromise Windows systems, impersonate trusted brands, and facilitate financial fraud. Its global impact has extended to businesses, educational institutions, and critical industries. Between mid-March and mid-May 2025, Microsoft identified more than 390,000 infected devices. Microsoft
• Hazy Hawk Exploits Misconfigured DNS to Hijack Cloud Resources – The cybercriminal group Hazy Hawk is exploiting misconfigured DNS records to take over abandoned cloud assets on Azure and Amazon S3. Instead of espionage, they redirect traffic to scam sites, malware, and deceptive ads. Victims include the U.S. CDC, universities, healthcare firms, and global companies. The group primarily exploits dangling CNAME records—DNS entries that point to unused cloud services, which are often easy to miss and difficult to rectify. Believed to operate from Eastern Europe, Hazy Hawk has ties to Russian cybercriminal networks. Experts advise regular DNS audits to remove outdated configurations and prevent similar attacks. Dark Reading
• Malicious Chrome Extensions Used to Steal Data Since February 2024 – A previously unknown threat actor has been distributing malicious Chrome extensions disguised as VPNs, productivity tools, and crypto apps. Though functional in appearance, these extensions steal credentials, hijack sessions, inject ads, and run remote code. Available on the Chrome Web Store, the extensions abused excessive permissions and the “onreset” event to bypass browser security. Victims were lured via fake sites mimicking services like DeepSeek and FortiVPN, as well as phishing, social media, and Facebook ads. Once installed, the extensions acted as proxies and manipulated browser behavior, even redirecting users based on review scores. Google has removed the extensions, but over 100 fake sites and add-ons were involved. The Hacker News
• VanHelsing Ransomware Source Code Leaked After Internal Dispute – The VanHelsing ransomware group, active since March 2025, leaked its own source code after a former developer tried to sell it on a cybercrime forum. The leak includes the Windows encryptor builder, affiliate panel, and data leak site, but lacks the Linux builder and full databases. The group claims the leak sets the stage for VanHelsing 2.0. While the code is real, it’s disorganized and requires customization, including links to a now-defunct server. Bleeping Computer
• Chinese and North Korean Hackers Now Lead in Global Advanced Cyberattacks – ESET’s latest APT Activity Report reveals that Chinese and North Korean state-sponsored groups are behind most advanced cyberattacks worldwide. While Southeast Asia remains a key target—especially for espionage against governments and universities—attacks are expanding into Europe and the U.S. China’s operations often align with strategic goals like the Belt and Road Initiative and maritime influence, while North Korea focuses on South Korea and cryptocurrency theft. Countries like India, Taiwan, and the Philippines are both frequent targets and rising cyber powers developing offensive capabilities. Dark Reading