Weekly Cybersecurity Recap - 28 April 2025

Introduction

This week’s cybersecurity landscape showcases a broad spectrum of threats — from QR code scams targeting the public to emerging GenAI-induced supply chain risks, and mobile app vulnerabilities affecting millions. Enterprises face rising pressure as ransomware brokers innovate, phishing-as-a-service platforms add AI power, and vulnerabilities are exploited at unprecedented speeds. Here’s what you need to know.

Threat Warnings & Incidents

UAE cybersecurity warning: Rising QR code scams target personal data

The Cybersecurity Council of the UAE has issued a warning about a surge in scams involving QR codes in public places. Fraudsters use these codes to direct unsuspecting users to malicious websites disguised as legitimate services. The Council advises extra caution: signs of a scam may include multiple stickers layered over each other or links leading to suspicious websites that request sensitive information or contain spelling errors.

Marks & Spencer confirms cybersecurity incident amid ongoing disruption

Retail giant Marks & Spencer has confirmed a cybersecurity incident following customer complaints of outages and disruptions. The company is working to contain the issue and restore affected systems, while investigations into the nature and scope of the breach continue.

Emerging Technologies & Risks

'Slopsquatting' and Other New GenAI Cybersecurity Threats

As generative AI continues to evolve, cybersecurity researchers are identifying new risks like "slopsquatting" — a supply chain attack where hallucinating AI models recommend fake dependencies. This creates opportunities for attackers to exploit AI-generated errors, pushing enterprises to rethink how they verify software recommendations and package sources.

Digital Twins Bring Simulated Security to the Real World

Digital twins — virtual simulations of business environments incorporating real-time data — are becoming vital in cybersecurity. Trellix researchers use digital twins to simulate customer networks, triage alerts, and model security responses using AI agents. This approach allows organizations to understand potential attack impacts in a risk-free environment, enhancing their ability to respond to threats proactively.

Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals

Darcula, a phishing-as-a-service platform, has introduced generative AI tools to its suite, making it easier for criminals to create customized phishing pages with multilingual support and form generation — without coding skills. These updates lower the entry barriers for cybercriminals and increase the volume and quality of phishing attacks.

Mobile Threats

Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices

A malicious campaign has been detected targeting Russian military personnel by distributing spyware under the guise of the Alpine Quest mapping app. Researchers found trojanized versions embedded in older app variants marketed as free alternatives to the paid Alpine Quest Pro. These spyware-laden versions aim to bypass official app store checks and lure military users into installing compromised apps.

Mobile Applications: A Cesspool of Security Issues

A large-scale analysis of over half a million mobile applications revealed alarming issues: around 20% had hardcoded encryption keys, 16% used third-party libraries with known vulnerabilities, and nearly two-thirds implemented weak or broken encryption. These findings spotlight the urgent need for developers and enterprises to prioritize secure coding practices and rigorous third-party code assessments.

Vulnerabilities & Attack Trends

159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure

Cybersecurity researchers flagged 159 CVE identifiers as exploited during Q1 2025 — a notable increase from the previous quarter. Alarmingly, nearly a third of these vulnerabilities were weaponized within 24 hours of disclosure, highlighting how quickly attackers are mobilizing to exploit newly revealed security flaws.

ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion

Researchers have detailed the operations of ToyMaker, an initial access broker leveraging custom malware called LAGTOY (also known as HOLERUN) to compromise vulnerable systems. ToyMaker then sells access to ransomware groups like CACTUS, who use double extortion tactics to pressure victims into paying up. This growing collaboration between IABs and ransomware operators underscores the evolving threat landscape enterprises must navigate.