Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Interlock Ransomware Gang Deploys ClickFix Attacks with Fake IT Tools to Breach Networks
The Interlock ransomware gang is using ClickFix attacks, posing as IT tools like FortiClient and Palo Alto Networks, to trick users into running malicious PowerShell commands. Sekoia reports these tactics, active since January 2025, deploy ransomware and backdoors across corporate networks.
Key takeaways:
🕵️♂️ Interlock ransomware gang shifted to ClickFix attacks in January 2025, using fake CAPTCHA prompts to lure victims into executing PowerShell commands that install a PyInstaller-based backdoor, as observed by Sekoia.
🎭 Attackers impersonate legitimate IT tools, including FortiClient, Ivanti Secure Access, and Palo Alto Networks Global Protect, previously mimicking browser updates like Chrome and Edge.
🔍 The malicious PowerShell command opens a legitimate Advanced IP Scanner webpage to deceive users, while deploying a backdoor for potential ransomware delivery, though no additional payloads were observed.
⚠️ ClickFix’s rising popularity among threat actors, including North Korean hackers and other ransomware groups, highlights its effectiveness in social engineering. Interlock targets organizations like the National Defense Corporation.
Phishers Exploit Google OAuth in DKIM Replay Attack to Spoof Legitimate Google Emails
Phishers are abusing Google OAuth to send fake emails from “[email protected],” passing DKIM checks and tricking users into visiting fraudulent login pages. Google is rolling out fixes, but users should enable 2FA and verify links to stay safe.
Key takeaways:
🕵️♂️ Attackers create Google OAuth apps to trigger authentic security alerts from Google’s servers, which carry valid DKIM signatures, then forward these emails with malicious links to victims, bypassing email security checks.
🌐 The phishing emails lead to convincing fake support portals on sites.google.com, mimicking Google’s login pages, as seen in attacks targeting Ethereum Name Service developer Nick Johnson with fake subpoena alerts.
🔍 A similar DKIM replay attack hit PayPal users in March 2025, showing the tactic’s growing use; the flaw lies in DKIM verifying only message headers, not the email envelope.
⚠️ Google, aware of the issue since April 2025, is deploying protections to block this abuse by the Rockfoils threat actor, while experts recommend 2FA and passkeys to mitigate risks.
Russian Bulletproof Host Proton66 Fuels Global Cyberattacks and Malware Surge
Since January 2025, hackers have exploited Russian bulletproof host Proton66 to launch global cyberattacks, targeting critical vulnerabilities and spreading malware like XWorm and SuperBlack ransomware. Trustwave SpiderLabs warns of its role in mass scanning and brute-forcing, urging stronger network defenses.
Key takeaways:
🕵️♂️ Proton66, a Russian bulletproof hosting provider linked to PROSPERO, has been used since January 8, 2025, for mass scanning, credential brute-forcing, and exploiting vulnerabilities, targeting organizations worldwide.
🌐 Active net blocks (45.135.232.0/24, 45.140.17.0/24, 193.143.1.65) targeted critical CVEs in February 2025, including Palo Alto PAN-OS (CVE-2025-0108), Fortinet FortiOS (CVE-2024-55591, CVE-2025-24472), and D-Link NAS (CVE-2024-10914).
🦠 Malware campaigns via Proton66 distribute XWorm, StrelaStealer, and WeaXor ransomware, with Fortinet exploits tied to initial access broker Mora_001 delivering the SuperBlack ransomware strain.
⚠️ The service’s history on Russian cybercrime forums, under names like Securehost and BEARHOST, highlights its role in enabling persistent, hard-to-trace attacks, necessitating robust security measures.
New MITRE ATT&CK v17 Released With New Techniques and Cloud Focus
MITRE ATT&CK v17 has just been released. It adds 22 new techniques, including cloud-specific threats like Kubernetes abuse, and refines analytics for better threat hunting. With expanded coverage for SaaS and mobile, it’s a must-have for defenders tracking evolving cyber attacks.
Key takeaways:
🕵️♂️ New Techniques Added: ATT&CK v17 introduces 22 techniques, 9 sub-techniques, and 2 platforms (Containers, SaaS), covering tactics like Kubernetes configuration tampering (T1609.003) and SaaS data collection (T1533.002).
☁️ Cloud and SaaS Focus: Enhanced cloud coverage includes Microsoft 365 and Azure AD techniques, with new SaaS platform additions addressing threats like permission abuse in Office 365 or Google Workspace.
🔍 Improved Analytics: Updates include 24 new analytics, refined technique mappings (e.g., WMI split into T1047 and T1604), and expanded macOS and Linux coverage, aiding SOCs in threat detection.
⚠️ Community-Driven: Built with global defender input, v17 supports threat hunters with structured adversary behavior data, while addressing emerging risks in mobile, containers, and enterprise environments.
Marks & Spencer Hit by Cyber Attack
Marks & Spencer confirms a cyber attack that has been disrupting contactless payments and Click and Collect services across its 1,400 stores since the Easter weekend. The retailer is working with experts to resolve delays and is urging customers to wait for order confirmation emails.
Key takeaways:
🕵️♂️ Marks & Spencer (M&S) disclosed a cyberattack starting over the Easter weekend of 2025, impacting operations across its 1,400 stores, particularly disabling contactless payments and delaying Click and Collect orders.
📢 The company notified the UK’s National Cyber Security Centre and Information Commissioner’s Office, engaging external cyber security experts to investigate and mitigate the incident, though specific details about the attack remain undisclosed.
🛡️ M&S implemented temporary in-store operational changes to protect customers and the business. Stores, the website, and the app remain operational despite ongoing Click and Collect delays.
🔍 Social media reports highlighted customer frustration, with some unable to use vouchers or complete purchases, while M&S advised waiting for email confirmations before collecting orders to avoid further disruption.
Top Tips of the Week
Threat Intelligence
- Leverage open-source intelligence (OSINT) for a broader threat landscape. OSINT enriches your CTI with publicly available data.
- Use CTI to assess third-party risks. Evaluate and manage cybersecurity risks associated with external vendors.
Threat Hunting
- Test your incident response plan regularly. Simulate scenarios to identify weaknesses and improve readiness.
- Incorporate threat intelligence in your risk management strategy in cyber threat hunting. Enhance resilience by identifying and mitigating potential risks.
- Understand the value of threat intelligence in penetration testing. Use threat insights to enhance real-world attack simulations.
- Investigate patterns, not just incidents. Recognizing patterns aids in understanding tactics and identifying potential threats.
Custom Tooling
- Consider the integration of machine learning in custom tool development. Leverage AI capabilities for enhanced threat detection and analysis.
Feature Article
How do you know you are working on the right intelligence requirements? How do you decide which stakeholders’ requirements to fulfill? Who gets priority? You need priority intelligence requirements to ensure your output aligns with objectives that drive your business forward.
Priority intelligence requirements allow you to focus on what matters most to your business, what requirements have the greatest impact, and what will significantly improve your cyber security posture. But how do you prioritize the right ones?
This article answers this question by providing actionable guidance on prioritization methods you can use right now!
These methods include MoSCoW, RACI matrices, and data analysis techniques that empower you to facilitate the prioritization of intelligence requirements with your stakeholders. Let’s get started.
Learning Resources
Effective Threat Hunting Techniques
Threat hunting is the practice of proactively finding evil stuff in your network. This comprehensive SANS webcast by Chris Dale delves deep into the art of effective threat hunting, emphasizing that breaches are inevitable and that organizations must prioritize detection alongside prevention.
He introduces the needed mindset shift—from reliance on static indicators like IPs and hashes to the dynamic analysis of tactics, techniques, and procedures (TTPs), championing the pyramid of pain. Continuous monitoring and understanding “normal” in one’s network should accompany this through methods like long-tail analysis and asset baselining.
It is a great watch for anyone tasked with developing effective detection strategies!
Digital Forensics and Incident Response Demystified
I recommend that everyone in cyber has a foundational understanding of Digital Forensics and Incident Response (DFIR). This introductory talk by Kathryn Hedley is a great starting point!
Through accessible language and practical examples, Hedley illustrates the value of understanding digital evidence, its meaning, and how to recover it to strengthen an investigation. She lays out the structured forensic process: identifying, acquiring, analyzing, and reporting, so new analysts can quickly apply a methodological and consistent approach to their work.
Give it a watch if you’re new to DFIR!
The Analyst Mindset
Being a cyber analyst is challenging. You must interpret vague inputs, synthesize evolving evidence, and constantly refresh your perceptions. This enlightening presentation explains how to make it easier.
Drawing from psychology, Chris Sanders introduces the DINK process (Diagnostic Inquiry), where analysts start from an initial event, interpret its meaning, form investigative questions, and continuously loop through this cycle as they encounter cues. This allows analysts to forecast, predict related events, and convert them into targeted questions through intuitive and deliberate thought.
It is an eye-opening presentation that will have you rethinking how you perform investigations!
Common Threat Hunting Mistakes
Threat hunting is a challenging endeavor that can lead new analysts to make many mistakes. Christopher Witter’s deep dive explores the realities and pitfalls of modern threat hunting.
It covers avoiding the baseline fallacy, overcoming missing context, and the idea that you need all your data in a SIEM or advanced EDR to be an effective threat hunter. He showcases several open-source tools for this, such as Velociraptor, OSQuery, and Chainsaw. Additionally, he advocates for repeatable hunting practices—transforming hunts into permanent detections or scheduled detection methods.
A must-watch presentation for anyone who is performing threat hunting at their organization!
