Threat Alerts

A surge of ransomware attacks has struck major UK retailers, with threat groups DragonForce and Scattered Spider identified as the main actors behind this wave. Victims include Co-op, Marks & Spencer, and Harrods, all of which have reported service outages or data breaches. DragonForce has claimed responsibility for the attacks, including the theft of 20 million customer records from Co-op, while multiple sources suggest Scattered Spider may be operating in parallel or supporting the campaign.

What stands out in this campaign is not just the high-profile victims, but the deliberate and strategic shift by ransomware actors to target specific sectors—in this case, UK retail. This sector-focused approach reflects an evolution in ransomware operations, where groups increasingly coordinate large-scale attacks on entire industries to maximize disruption and extortion leverage.

In April 2025, researchers uncovered a new information-stealing malware named Gremlin Stealer, which has been actively promoted on the Telegram channel “CoderSharp” since mid-March. Developed in C#, this malware is designed to extract a wide range of sensitive data from compromised Windows systems, including browser cookies, saved credentials, clipboard contents, cryptocurrency wallet information, FTP and VPN configurations, as well as session data from applications like Telegram and Discord. Notably, Gremlin Stealer boasts the capability to bypass Chrome’s Cookie V20 protection, enhancing its effectiveness in harvesting user data.

Gremlin Stealer is an integrated backend infrastructure, which provides cybercriminals with a user-friendly web portal to manage and download exfiltrated data. Upon infection, the malware aggregates the stolen information into ZIP archives and uploads them to a command-and-control server, with some versions utilizing hardcoded Telegram bots for data transmission. This streamlined data management system underscores the evolving sophistication of cybercriminal tools. The analysis highlights the growing threat posed by such malware and emphasizes the importance of robust cybersecurity measures to detect and mitigate these risks.

A large-scale phishing campaign is currently targeting WooCommerce users by falsely claiming their websites are affected by a non-existent “Unauthenticated Administrative Access” vulnerability. The attackers send emails from spoofed addresses, directing victims to a fake WooCommerce website that uses an IDN homograph attack to appear legitimate. The campaign poses no threat unless users download and install the malicious plugin offered as a “patch” for the fabricated vulnerability.

The attack follows a sophisticated infection chain that begins when users click the “Download Patch” button in the phishing email. This leads to a convincingly designed fake WooCommerce Marketplace page where victims are encouraged to download and install a malicious plugin. Once activated, the plugin silently creates a backdoor by establishing a cronjob that attempts to create an administrator-level user with randomized credentials every minute. The malware communicates with attacker-controlled servers, sending encoded information about the compromised site and downloading additional payloads. These payloads include multiple web shells hidden in the WordPress uploads directory, giving attackers comprehensive control over the infected website. The malware also conceals itself and the created administrator account from the WordPress dashboard, making detection more difficult. The consequences of infection can be severe, potentially leading to advertisement injection, malicious redirects, DDoS attacks, data theft, or even ransomware attacks.

A recent campaign targeting the Go developer ecosystem demonstrates the severe risks posed by malicious open-source modules. Three harmful packages were uploaded to public repositories under deceptive names, designed to resemble legitimate libraries. Once integrated into a developer’s environment, these modules delivered a disk-wiping payload capable of erasing entire Linux systems. This kind of supply-chain compromise carries the risk of complete data destruction, prolonged operational downtime, and irreversible infrastructure damage for affected organizations.

The attack leveraged the decentralized structure of the Go module system, where developers often import packages directly from GitHub without strict validation. The malicious modules contained heavily obfuscated Go code designed to fetch and execute external shell scripts, bypassing detection mechanisms. These scripts, delivered via attacker-controlled URLs, triggered system-level commands to overwrite the primary storage device with zeroes—effectively rendering all data unrecoverable. The infection chain was simple yet effective: import the module, decode the payload, and initiate remote command execution based on OS checks.

At the core of the destructive chain was a Bash script using the dd utility to wipe /dev/sda, the main disk on Linux systems. This approach ensured total data loss, with no opportunity for recovery or forensic analysis. Given the nature of the delivery method and the extent of the impact, this incident showcases how even a single dependency can introduce critical vulnerabilities into otherwise secure environments.

StealC V2 is the latest iteration of an information stealer and malware loader actively distributed since early 2023. The new version introduces improved data theft capabilities, encrypted communications, and more flexible delivery options for secondary payloads. These enhancements allow attackers to tailor operations with greater precision, delivering executable files, MSI installers, or PowerShell scripts based on victim characteristics. With a redesigned backend interface and embedded build system, the malware continues to evolve into a comprehensive toolkit for credential theft, surveillance, and post-compromise activity.

Once deployed, the malware initiates validation checks such as hardware ID generation, system language filtering, and expiration logic to avoid redundant infections. Communication with the command-and-control server is handled through JSON requests, encrypted using RC4 with keys defined during installation. The server responds with instructions for data collection, optional screenshot capture, and payload loading—based on rules set by the operator. These configurations depend on factors like system location, software presence, and keyword markers found in stolen data.

The malware’s infrastructure includes a web-based control panel that supports Telegram alerts, version-controlled updates, and rule-based tasking. Each payload delivery is mapped to markers—predefined triggers based on extracted content—that determine what follow-up actions the malware should take. New builds are generated using an embedded builder that merges operator rules with core binaries supplied by the malware’s developers. The latest updates also enable self-deletion mechanisms, anti-analysis improvements, and error handling to evade detection. StealC V2 demonstrates the increasing complexity and customization available to attackers in commodity malware families.

Despite a decline in the total number of zero-day vulnerabilities in 2024, a clear trend emerged toward targeting enterprise products—particularly network edge appliances like VPNs, security gateways, and firewalls. These systems offer high-privilege access and often lack robust monitoring, making them attractive for both state-sponsored and financially motivated attackers. The growing focus on enterprise tech reflects a broader shift in initial access strategies, with attackers favoring scalable, infrastructure-level compromises over user-end exploitation. This trend has persisted into 2025 and is expected to rise, with zero-day development increasingly aimed at high-value, low-visibility systems that bridge internal and external network environments.