Microsoft Identifies Medusa Ransomware Affiliate to Zero Day Attacks

Microsoft has identified Storm‑1175, a China‑based financially motivated cybercriminal group, as the actor behind a series of fast‑moving attacks that deploy Medusa ransomware. The group is known for exploiting both zero‑day and recently disclosed (n‑day) vulnerabilities at high speed to gain initial access to victim networks.

Storm‑1175 rapidly shifts from initial compromise to data exfiltration and ransomware deployment, sometimes completing the full attack chain in under 24 hours. Their operational tempo is described as “high‑velocity,” with the group often exploiting vulnerabilities within a day of disclosure and in some cases up to a week before patches became available.

The group has targeted organizations across healthcare, education, professional services, and finance sectors in Australia, the United Kingdom, and the United States. Their campaigns have involved exploiting more than 16 vulnerabilities across widely used enterprise products including Microsoft Exchange, PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust. Notable exploited zero‑days include CVE‑2025‑10035 (GoAnywhere MFT), CVE‑2026‑23760 (SmarterMail) and CVE-2026-1731 (BeyondTrust).

This highlights that organizations even those with mature patching programs, are vulnerable widening the risk pool and complicating defensive strategies. As threat actors are exploiting zero-day vulnerabilities before patches exist.

European Commission Cloud Hack Affecting 30 EU Entities

The European Union’s Cybersecurity Service (CERT‑EU) has confirmed that the European Commission’s AWS cloud environment was breached by threat group TeamPCP, exposing sensitive data belonging to both the Commission and at least 29 other EU entities.

The intrusion began on March 10, when attackers used a compromised AWS API key with management‑level permissions, stolen during the Trivy supply‑chain compromise, to access the Commission’s cloud systems. Once inside, the attackers used TruffleHog to search for additional secrets, created a new access key to evade detection, and continued with internal reconnaissance and data theft.

On March 28, extortion group ShinyHunters released a 90GB compressed archive (approx. 340GB uncompressed) on the dark web, containing: Names, Email addresses, Email content, Tens of thousands of files with personal and organizational data. The exfiltrated data impacts up to 71 clients of the EU’s Europa web hosting service: 42 internal European Commission clients and At least 29 other Union entities.

TeamPCP is linked to wider supply‑chain attacks involving GitHub, PyPI, NPM, and Docker ecosystems. They previously compromised the LiteLLM PyPI package and deployed their TeamPCP Cloud Stealer malware across tens of thousands of affected systems.

This incident follows a series of events as mentioned above, linking to a wider supply-chain attack, exposing how compromised 3^rd party or open-source tools can directly lead to institutional‑level breaches. Furthermore, the public posting of this dataset creates long‑term exposure risks, including phishing, credential misuse, and intelligence‑gathering by hostile actors.

North Korean Hackers Distribute 1,700+ Malicious Open Source Packages

A North Korea–linked cyber campaign known as “Contagious Interview” has significantly expanded its software supply‑chain operations by distributing more than 1,700 malicious packages across multiple open‑source ecosystems, including npm, PyPI, Go, Rust, and Packagist. These packages were crafted to impersonate legitimate developer tools, enabling attackers to infiltrate development environments through trusted channels. Researchers noted that the adversaries embedded malware loaders within these packages, allowing them to deliver platform‑specific second‑stage payloads designed for espionage and financial gain.

The malicious payloads deployed through these packages possess a range of dangerous capabilities. Many act as infostealers, collecting browser data, passwords, and cryptocurrency wallet information. Some variants, particularly those delivered via the PyPI package license‑utils‑kit, function as full post‑compromise implants, enabling remote command execution, keylogging, data exfiltration, browser manipulation, file uploads, and installation of remote‑access tools such as AnyDesk.

What makes this campaign particularly stealthy is the attackers’ technique of embedding harmful code within normal‑looking functions that developers might routinely use. Unlike conventional malicious packages that execute harmful code immediately upon installation, these packages hide logic inside legitimate functionality

The complete list of identified packages is as follows -

• npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz
• PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit
• Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg
• Rust: logtrace
• Packagist: golangorg/logkit

the discovery of more than 1,700 malicious packages since early 2025 demonstrates a highly coordinated and well‑resourced supply‑chain threat engineered to compromise developers at scale. By targeting widely used development ecosystems, the North Korean operators aim to infiltrate organizations during the earliest stages of the software lifecycle, facilitating both espionage and financial theft.

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Germany’s Federal Criminal Police Office (BKA) has identified and unmasked two key members of the now‑defunct REvil (Sodinokibi) ransomware‑as‑a‑service group, linking them to 130 ransomware attacks across Germany between 2019 and 2021. The first, previously known under the alias UNKN, has been revealed as Daniil Maksimovich Shchukin, a 31‑year‑old Russian national who also used multiple online monikers such as Oneiilk2, Oneillk2, Oneillk22, and GandCrab. Shchukin served as a representative of the operation, advertising REvil on cybercrime forums and helping recruit affiliates. The second individual, Anatoly Sergeevitsch Kravchuk, is believed to have been one of REvil’s developers during that period.

According to the BKA, the two suspects' activities resulted in €1.9 million in ransom payments across 25 confirmed cases, while the total damages inflicted by the 130 attacks exceeded €35.4 million, accounting for business interruption, data loss, and recovery costs. REvil, an evolution of the GandCrab ransomware, was among the most prolific ransomware operations, responsible for major global incidents before abruptly disappearing in July 2021. The group resurfaced briefly but eventually collapsed following international law‑enforcement actions.

Romania previously arrested two affiliates, and Russia’s FSB reported in January 2022 that it had arrested several REvil members and dismantled parts of the group. By October 2024, four REvil members were sentenced to prison, according to Russian media.

Qilin & Warlock Ransomware Operations: BYOVD Based EDR Kill Chain

Threat actors behind the Qilin and Warlock ransomware operations have adopted a highly advanced evasion technique known as Bring Your Own Vulnerable Driver (BYOVD) to disable security tools on infected systems. According to research from Cisco Talos and Trend Micro, both groups are using signed but, vulnerable kernel‑mode drivers to bypass modern Endpoint Detection and Response (EDR) protections, effectively terminating more than 300 different EDR drivers across major vendors. This technique allows the ransomware operators to gain low‑level system access and dismantle defensive layers before deploying their payloads, making detection and prevention significantly harder

In Qilin’s case, the attack begins with a malicious DLL named msimg32.dll, delivered via DLL side‑loading, which triggers a multi‑stage loader designed to run stealthily in memory. This loader neutralizes user‑mode hooks, suppresses Windows event logging, and obscures API calls to avoid detection. Once executed, the malware loads two vulnerable drivers: rwdrv.sys, a renamed version of ThrottleStop.sys that grants raw access to physical memory, and hlpdrv.sys, which terminates EDR processes. These drivers also previously seen in Akira and Makop ransomware incidents are used to clear the way for final ransomware deployment by disabling security components at the kernel level.

Warlock (also known as Water Manaul) uses a similar approach but with its own kernel‑level driver, NSecKrnl.sys, leveraging vulnerabilities to disable security tools before distributing ransomware across a network. Warlock typically breaches organizations by exploiting unpatched Microsoft SharePoint servers, spending up to 15 days inside victim environments to conduct reconnaissance, exfiltrate data, and position for maximum damage.

Overall, the widespread adoption of BYOVD by multiple ransomware groups, particularly Qilin and Warlock, signals a critical shift in the threat landscape. Kernel‑level EDR bypass techniques once considered advanced are now mainstream across the ransomware ecosystem, leaving organizations reliant on EDR tools increasingly vulnerable unless they implement strict driver‑allowlisting, hardware‑based protections like HVCI, and rapid patching of vulnerable third‑party drivers

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.