UK food logistics firm Peter Green Chilled hit by ransomware attack

Peter Green Chilled, a Somerset-based food logistics company supplying major UK supermarkets including Tesco, Asda, Sainsbury’s, and M&S, has fallen victim to a ransomware attack. The incident, disclosed in an internal email seen by the BBC, occurred last week. While transport operations remain unaffected, order processing has been suspended. It is unknown whether a ransom was demanded or paid.

The company’s role in delivering chilled foods with short shelf lives raises concerns of severe operational disruption—mirroring tactics used in attacks on healthcare and manufacturing, where urgency is exploited over data theft.

Supply chain firms like Peter Green are increasingly targeted due to their reliance on just-in-time delivery. The attack follows recent incidents at Co-op, Harrods, and M&S, with the latter forecasting £300m in losses due to ongoing online disruption.

Retail remains a high-risk sector, with 45% hit by ransomware last year.

UK Legal Aid Agency data breach worse than feared, sensitive applicant info stolen

The UK's Legal Aid Agency (LAA) has confirmed that a recent cyberattack reported earlier this month was more severe than initially believed, with hackers stealing large volumes of sensitive data from legal aid applicants dating back to 2010. The agency, part of the Ministry of Justice, helps people access legal representation if they cannot afford it.

An initial notice in early May downplayed the breach, citing limited financial exposure. However, a government update on 16 May revealed that contact details, dates of birth, National Insurance numbers, criminal history, and debt-related data were accessed and downloaded by threat actors.

The LAA has taken its digital services offline and is working with the UK’s National Cyber Security Centre to secure systems. Applicants are urged to remain vigilant against scams.

This breach comes amid a wave of cyberattacks hitting UK institutions, including retailers like M&S and Co-op, raising questions about possible links to the Scattered Spider group.

Fake Facebook Ads impersonate Kling AI to spread malware

Cyber security experts have uncovered a campaign using fake Facebook pages and sponsored ads to impersonate Kling AI, luring users into downloading malware. Kling AI, launched by China’s Kuaishou Technology in 2024, is a text-to-video/image platform with over 22 million users.

Check Point reported that the threat actors direct users to spoofed websites like klingaimedia[.]com, offering AI-generated content. Instead, visitors unknowingly download malware disguised as images or videos. The malware, hidden in ZIP files using deceptive file names, installs a remote access trojan (RAT) and data-stealer targeting browser credentials and crypto wallets.

The second-stage payload uses PureHVNC to establish persistence, evade detection, and steal sensitive data. At least 70 fake ads were detected, likely originating from Vietnam, where malvertising is a known tactic.

This highlights growing threats from social engineering and AI-themed scams. Meta is reportedly battling widespread fraud across Facebook and Instagram, including fake giveaways and job scams linked to trafficking.

Hazy Hawk hijacks trusted subdomains to spread scams

A threat actor known as 'Hazy Hawk' is exploiting forgotten DNS CNAME records pointing to abandoned cloud services to hijack trusted subdomains of governments, universities, and Fortune 500 companies, according to researchers.

By registering new cloud resources matching the names in abandoned CNAME records, Hazy Hawk takes over subdomains to host scams, fake apps, and malicious ads. High-profile domains compromised include cdc.gov, honeywell.com, berkeley.edu, unicef.org, and nyu.edu, among others.

These hijacked subdomains are used to generate hundreds of scam URLs, benefiting from the parent domain's trusted reputation to rank in search results. Victims are redirected through multiple layers of traffic direction systems (TDS), profiling them before landing on tech support scams, phishing pages, or fake streaming sites.

Users who allow push notifications may continue receiving scam alerts long after leaving the sites. Experts warn that unmonitored CNAME records present an overlooked yet dangerous attack vector.

Trojanized KeePass installer delivers Cobalt Strike and ransomware

Threat actors have spent at least eight months distributing a malicious version of the KeePass password manager to infect systems with Cobalt Strike beacons and steal user credentials. According to researchers, the campaign began with fake KeePass websites advertised via Bing ads, where users unknowingly downloaded a trojanized installer named KeeLoader.

While functioning like the legitimate KeePass, KeeLoader silently exports the user's password database in cleartext and deploys a Cobalt Strike beacon. The beacon watermark ties the campaign to initial access brokers associated with the Black Basta ransomware group.

The threat actors also used typo-squatting domains like keeppaswrd[.]com and keegass[.]com to distribute malware. Some fake installers were even signed with legitimate certificates.

The campaign culminated in ransomware attacks targeting VMware ESXi servers. WithSecure attributes the activity to threat actor UNC4696, previously linked to Nitrogen Loader and BlackCat/ALPHV campaigns.

Users are urged to avoid downloading software via advertisements and only use official sources.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.