This Week in Issue

Zero-click spyware is surging, forcing a reexamination of mobile security practices across enterprise environments. North Korean hackers have begun leveraging generative AI to enhance cyber operations, marking a dangerous evolution in state-sponsored threat tactics. SAP NetWeaver users are urged to patch critical flaws amid active exploitation. Meanwhile, ransomware gangs are shifting to aggressive affiliate models, hammering healthcare and education sectors. Finally, Verizon’s latest DBIR confirms that small businesses are now prime targets no organization is too small to escape the crosshairs.

CYBER NEWS ROUNDUP

The Growing Threat of Zero-Click Spyware
Zero-click spyware exploits mobile device vulnerabilities without any user interaction, making detection and prevention extremely difficult. These attacks target executives, journalists, and government officials, often bypassing traditional security layers. The implications include deep surveillance and unauthorized data access at scale. Organizations should reevaluate mobile security strategies and prioritize endpoint detection and response (EDR) tools designed for mobile threats.
Read more: https://www.cybersecurity-insiders.com/the-growing-threat-of-zero-click-spyware-why-organizations-must-rethink-smartphone-security-2/

SAP NetWeaver Patch Urgency
SAP has issued critical patches for its NetWeaver Application Server, addressing a severe vulnerability (CVSS score 9.8) that allows remote code execution. Affected organizations risk full system compromise if the flaw is exploited. Threat actors are actively scanning for this weakness, placing unpatched systems in immediate jeopardy. IT teams should apply the latest security updates without delay to mitigate exposure.
Read more: https://www.theregister.com/2025/04/25/sap_netweaver_patch/

AI DJ Deployed Without Disclosure in Australia
An Australian radio station replaced its afternoon host with an AI-generated DJ trained on the real host’s voice without informing listeners. While framed as innovation, the move raises ethical questions about transparency and digital identity. The AI, “Arnie,” delivered pre-recorded segments, blurring lines between automation and authenticity. This incident underscores the importance of clear AI policies in content creation.
Read more: https://www.theverge.com/news/656245/australian-radio-station-ai-dj-workdays-with-thy

MTN Data Breach Compromises Customer Information
Telecom giant MTN confirmed a cyberattack that exposed customer data in Zambia, including subscriber identities and SIM-related information. While the company claims core systems remain unaffected, the breach still presents risks for fraud and identity theft. Affected individuals may face phishing attempts or account compromise. MTN is collaborating with authorities and enhancing its cybersecurity posture.
Read more: https://www.bleepingcomputer.com/news/security/mobile-provider-mtn-says-cyberattack-compromised-customer-data/

Baltimore City Public Schools Breach Affects 31,000+
Baltimore City Public Schools disclosed a data breach affecting over 31,000 individuals, exposing names, Social Security numbers, and other sensitive data. The breach may lead to identity theft or fraudulent activity, particularly among students and staff. It highlights ongoing challenges in securing education sector infrastructure. Those impacted are advised to monitor credit and enroll in identity protection services.
Read more: https://www.bleepingcomputer.com/news/security/baltimore-city-public-schools-data-breach-affects-over-31-000-people/

North Korean Hackers Using GenAI to Infiltrate Jobs
North Korean threat actors are leveraging generative AI tools to pose as remote tech workers and infiltrate Western companies. By producing convincing résumés and deepfake interviews, they secure employment and funnel intelligence or revenue back to state operations. This tactic represents a dangerous evolution in cyber-espionage. Organizations must strengthen background checks and monitor anomalous remote activity.
Read more: https://cybersecuritynews.com/north-korean-hackers-using-genai/

FBI Offers $10M Bounty on State-Backed Cybercriminals
The FBI is offering up to $10 million for information on the Salt Typhoon hacking group, believed to be a Chinese state-sponsored threat actor. The group has targeted U.S. critical infrastructure and telecom networks. The bounty highlights the growing geopolitical stakes of cyberwarfare. Security teams should remain vigilant and share threat intelligence with federal agencies.
Read more: https://cybersecuritynews.com/fbi-to-offer-reward-up-to-10-million/

159 CVEs Exploited in the Wild During Q1 2025
A new report confirms 159 vulnerabilities were actively exploited in Q1 2025, with nearly 9% attacked within 24 hours of disclosure. These rapid exploit timelines underscore the critical need for timely patch management. Common targets included Microsoft, Adobe, and web application platforms. Organizations must streamline vulnerability scanning and prioritize high-risk CVEs immediately.
Read more: https://cybersecuritynews.com/159-cves-exploited-in-the-wild-in-q1-2025/

Small Businesses Face Rising Cyber Threats, Verizon DBIR Finds
Verizon’s latest Data Breach Investigations Report shows small businesses are increasingly targeted due to limited defenses. The report identifies ransomware, phishing, and credential abuse as top threats. Breaches in this sector often have severe operational and financial consequences. Small enterprises must invest in affordable, layered security solutions to survive in today’s threat landscape.
Read more: https://cybersecuritynews.com/verizon-dbir-report-small-businesses-emerges-as-prime-targets/

Ransomware Gangs Adopt Affiliate Models to Scale Operations
Ransomware groups are evolving into franchise like affiliate programs, enabling less skilled actors to launch attacks with prebuilt infrastructure. This model significantly increases attack volume and diversity across sectors. Victims face a higher risk of double extortion, data leaks, and re-attacks. Businesses must deploy continuous monitoring and endpoint protections to counter this shift.
Read more: https://www.darkreading.com/data-privacy/ransomware-gangs-innovate-new-affiliate-models

Microsoft Advances Security Culture Overhaul Post-Breaches
Following high-profile security lapses, Microsoft is reforming its security culture, embedding cybersecurity into employee performance metrics and development cycles. Key actions include default multi-factor authentication, stronger internal audits, and secure-by-design engineering practices. These moves aim to reduce attack surfaces across all products and teams. Microsoft’s shift could serve as a blueprint for other enterprises.
Read more: https://www.darkreading.com/cybersecurity-operations/microsoft-steady-progress-revamp-security-culture

Healthcare Sector Hit by Wave of Ransomware Attacks
Recent ransomware attacks have crippled multiple healthcare organizations, including DaVita and Bell Ambulance, disrupting operations and threatening patient data. Cybercriminals increasingly view healthcare as a soft, high-value target. The incidents stress the need for backup resilience, segmented networks, and staff awareness training. Regulatory pressure may increase to force improved cyber hygiene across the sector.
Read more: https://www.darkreading.com/cyberattacks-data-breaches/healthcare-orgs-hit-ransomeware-attacks

Medusa Ransomware Adopts RaaS Model, Increases Attacks
The Medusa group has pivoted to a Ransomware-as-a-Service (RaaS) model, offering affiliates easy deployment tools and broader target lists. The group’s attacks are becoming more frequent and impactful, hitting industries like healthcare and education. Their model leverages data extortion, public shaming, and encrypted lockouts. Defenders must enhance incident response playbooks and update offline backups regularly.
Read more: https://www.darkreading.com/threat-intelligence/medusa-momentum-ransomware-as-a-service-pivot

Why This matters

This week’s cybersecurity landscape reveals a clear and pressing shift: attackers are becoming faster, smarter, and more relentless. From zero click spyware targeting mobile devices to ransomware gangs using affiliate models and nation state actors deploying generative AI, the threat environment is evolving rapidly. Critical sectors like healthcare, education, and small businesses are under sustained pressure, while CISA’s latest advisories warn of serious vulnerabilities in industrial systems that support essential infrastructure.

The takeaway is urgent traditional defenses are no longer enough. With vulnerabilities now being exploited within hours of disclosure, organizations must adopt a proactive mindset rooted in real-time threat intelligence, rapid patching, and a zero-trust approach. The cost of hesitation is no longer measured in data loss alone it’s operational disruption, financial damage, and compromised safety.

Cyber Hygiene Tips (Based on This Week’s Threats)

Protect smartphones against zero-click spyware
Turn on automatic updates for all mobile devices and avoid clicking unknown links even legitimate-looking apps can be compromised by spyware attacks.

Lock down SIM and mobile account information
Following the MTN breach, protect your phone accounts with PINs or additional authentication to prevent SIM swap attacks and identity theft.

Strengthen school and education network defenses
In light of the Baltimore City Schools breach, implement endpoint protection and segment school networks to limit the spread of attacks.

Update ransomware response plans
With ransomware gangs launching more affiliate-based attacks, regularly back up critical data offline and rehearse rapid recovery procedures.

Tighten MFA and authentication practices
Microsoft’s internal reforms show the importance of strong authentication enforce multi-factor authentication (MFA) across all employee accounts.

Prioritize fast patching for newly disclosed CVEs
Since over 150 vulnerabilities were actively exploited this quarter, shorten your patch cycles to days not weeks to close critical gaps quickly.

Protect small business systems with layered defenses
Verizon’s DBIR shows small businesses are primary ransomware targets deploy layered security like firewalls, EDR, and phishing training even on limited budgets.

Government advisories

CISA Releases Seven Industrial Control Systems Advisories
https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-industrial-control-systems-advisories

ICSA-25-114-06 Siemens SCALANCE W1750D
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-06

ICSA-25-114-05 Siemens Mendix SAML Authentication Bypass Vulnerability
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-05

ICSA-25-114-04 Siemens SIMATIC CP 443-1
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-04

ICSA-25-114-02 Siemens SINEC Infrastructure Network Services
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02

AA25-022A: North Korean State-Sponsored Cyber Actors Use Social Engineering to Enable Hacking for Financial Gain
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

AA24-290A: Scattered Spider Cyber Actors Social Engineering Tactics
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a

THREAT FOCUS INFORMATION

Inside the “ToyMaker” Campaign

Overview
A newly identified initial access broker (IAB), dubbed ToyMaker, has emerged as a financially motivated threat actor exploiting exposed internet-facing systems to gain entry into target environments. First reported by Cisco Talos, ToyMaker leverages a custom backdoor named LAGTOY to establish persistence, exfiltrate credentials, and enable follow-on activity, including ransomware deployment. Once access is established, ToyMaker facilitates hands-on intrusion using tools like Cactus ransomware, PowerShell, WinSCP, AnyDesk, and Impacket, providing flexibility across various enterprise environments. The campaign targets a broad range of sectors and plays a critical role in the ransomware-as-a-service (RaaS) ecosystem by monetizing footholds for more destructive threat groups.

Tools and Techniques
The LAGTOY backdoor is capable of spawning reverse shells, executing arbitrary commands, and serving as a staging platform for additional payloads. ToyMaker’s tooling arsenal suggests modular capabilities, including remote desktop abuse, file transfers, credential theft, and command-and-control via alternative protocols. These activities map across a wide set of MITRE ATT&CK https://attack.mitre.org/ techniques, revealing the operation’s depth and sophistication:

• T1003 – OS Credential Dumping

• T1021 – Remote Services (e.g., SSH, RDP)

• T1059 – Command and Scripting Interpreter

• T1562 – Impair Defenses

• T1070 – Indicator Removal on Host

• T1048 – Exfiltration Over Alternative Protocol

• T1543 – Create or Modify System Process

• T1560 – Archive Collected Data

• T1608 – Stage Capabilities

• T1136 – Create Account

Strategic Implications
ToyMaker’s campaign highlights the growing importance of initial access brokers in today’s cybercrime supply chain. By selling or trading access to compromised networks, IABs like ToyMaker enable more destructive actors such as ransomware operators or state-aligned APTs to move quickly from breach to impact. In a geopolitical environment where ransomware has become both a criminal and political weapon, the existence of scalable access-as-a-service platforms increases the operational tempo of cybercriminals. This campaign also reflects a growing technical overlap between cybercrime and espionage, blurring lines between financially motivated and state-sponsored operations.

Defensive Recommendations

• Patch and harden internet-facing assets, especially RDP, SSH, and outdated web applications.

• Audit and rotate credentials regularly, particularly domain admin and service accounts.

• Implement EDR and NDR tools that can detect lateral movement, scheduled tasks, and PowerShell misuse.

• Disable unnecessary services and ports to reduce the attack surface exploited by ToyMaker.

• Monitor for IOCs linked to known LAGTOY infrastructure and malware hashes (see below).

• Train SOC analysts to recognize signs of IAB-related activity and prepare for potential ransomware escalation.

Indicators of Compromise (IOCs)
The following indicators are defanged to prevent accidental engagement. Use caution and validate within your own threat intel platforms.

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

In today’s fast-moving cyber landscape, raw data isn’t enough you need actionable intelligence tailored to your business. Our Curated Threat Intelligence Service delivers real-time insights, customized threat profiles, and prioritized alerts focused on your industry, your risks, and your critical assets.

We filter the noise, track evolving threat actors, and highlight only what matters most so you can act faster, defend smarter, and stay resilient. Every report includes high-confidence indicators of compromise (IOCs), mapped MITRE ATT&CK techniques, and strategic recommendations designed to strengthen your defenses.

Protect your business with intelligence built for action, not overwhelm.
Contact us today to start receiving tailored threat intelligence you can trust.

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

Partner Spotlight

Organize, Track, and Succeed with Monday.com

We’re proud to be sponsored by Monday.com, the all-in-one work operating system that helps teams stay organized, efficient, and ahead of schedule. Whether you're managing cybersecurity projects, coordinating threat intelligence reports, or streamlining daily operations, Monday.com offers customizable workflows, real-time collaboration, and powerful automation all in one easy-to-use platform.

Ready to take control of your projects and boost your team's productivity?
Get started today with Monday.com

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

We value your feedback! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278