Weekly Cybersecurity Recap - 26 May 2025

Introduction

Last week brought a surge of malicious campaigns, high-profile cyberattacks, and revealing research. Fake VPN installers and phishing attacks targeting Russian firms highlighted how attackers are constantly adapting their delivery tactics. Meanwhile, Marks & Spencer reported that its ransomware incident could cost nearly $400 million - underscoring the rising stakes of enterprise breaches. Browser extensions, ICS honeypots, and cybersecurity board oversight also made headlines. Here’s a breakdown of what you need to know:

Malware & Threat Campaigns

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware

A newly exposed campaign is delivering Winos 4.0 malware through counterfeit installers disguised as popular applications like LetsVPN and QQ Browser. Researchers from Rapid7, who first observed this campaign in February 2025, say it uses a multi-stage, memory-resident loader named Catena. The attackers appear to be highly capable and focused, operating primarily in Chinese-speaking environments with signs of long-term strategic planning.

PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms

PureRAT infections have quadrupled this year, particularly among Russian organizations. These attacks typically start with phishing emails that contain malicious RAR archives disguised as Word or PDF documents using double file extensions. While the campaign's origin remains unknown, it’s a clear sign that email remains a potent vector for targeting corporate environments with evasive malware.

100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads

A threat actor has developed over 100 malicious Chrome extensions since early 2024, posing as utilities but embedding dangerous capabilities. These browser add-ons do far more than advertised - they steal credentials and cookies, hijack sessions, inject ads, redirect traffic, and even manipulate webpages for phishing. The campaign illustrates how browser-based threats continue to evolve under the radar.

3am Ransomware Adopts Email Bombing, Vishing Combo Attack

The emerging 3AM ransomware group is now using combo tactics that combine email bombing and vishing - a technique made popular by the Black Basta group. In a recent campaign uncovered by Sophos, the group was able to exfiltrate data from a compromised system. Although a full ransomware attack wasn’t completed, the method demonstrates how initial access vectors are becoming more aggressive and hybridized.

Major Incidents & Disruptions

Marks & Spencer Expects Ransomware Attack to Cost $400 Million

Marks & Spencer has revealed that the financial fallout from its recent ransomware attack could reach £300 million (about $400 million). The breach disrupted logistics, food sales, and store operations across its 500+ locations. The retailer is now in recovery mode, manually restoring critical systems and absorbing significant losses due to spoilage and supply chain inefficiencies. The incident highlights how deeply ransomware can affect even well-established global businesses.

Research & Trends

Up to 25% of Internet-Exposed ICS Are Honeypots: Researchers

A new study by researchers from NTNU Gjøvik and TU Delft found that up to 25% of internet-facing Industrial Control Systems (ICS) may actually be honeypots. Using the Censys search engine, they scanned over 150,000 devices across 175 countries. Their discovery reveals how defenders are increasingly turning to deception as a tool to study, slow down, or trap attackers targeting critical infrastructure.

Taming the Hacker Storm: Why Millions in Cybersecurity Spending Isn’t Enough

According to the AV-TEST Institute, more than 450,000 new malware samples are detected daily. That staggering number reveals why even massive security budgets can fall short - organizations are simply overwhelmed by the pace and volume of threats. It’s a reminder that defense is not just about money, but about prioritization, agility, and proactive strategy.

Boards Need a More Active Approach to Cybersecurity

A recent survey of 151 executives shows a gap between perception and reality when it comes to boardroom cybersecurity strategy. While a majority believe their funding is sufficient, only a fraction see their boards as proactive or innovative. The data points to a growing need for directors to engage more directly and meaningfully with cybersecurity planning.