Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Microsoft Mandates Passwordless Authentication for All New Accounts
Microsoft now makes all new accounts passwordless by default, using passkeys, biometrics, or PINs to combat phishing and password attacks. Existing users can opt to delete passwords, aligning with the industry push for secure authentication.
Key takeaways:
🔑 Passwordless by Default: New Microsoft accounts no longer require passwords, defaulting to passkeys, biometrics, or PINs to enhance security against phishing, brute force, and credential stuffing attacks.
🚀 Streamlined Sign-In: A new user experience prioritizes passwordless methods, with Microsoft reporting 98% success rates for passkey logins compared to 32% for passwords.
🛡️ Industry Alignment: The move, announced on World Passkey Day, supports the FIDO Alliance’s push for passwordless authentication, with 15 billion accounts now passkey-compatible.
🔄 Existing User Options: Current users can remove passwords via account settings, though full passwordless adoption requires the Microsoft Authenticator app.
📊 Security Imperative: Microsoft cites 7,000 password attacks per second in 2024, underscoring the urgency of transitioning to more secure authentication methods.
Darcula PhaaS Steals 884,000 Credit Cards in Global SMS Phishing Campaign
The Darcula phishing-as-a-service platform stole 884,000 credit cards through 13 million malicious SMS links targeting users in over 100 countries. Its use of iMessage and RCS, plus 20,000 spoofed domains, made attacks highly effective, evading traditional defenses.
Key takeaways:
📱 Massive Phishing Operation: Darcula PhaaS stole 884,000 credit cards over seven months in 2023-2024, leveraging 13 million clicks on phishing links sent via SMS, iMessage, and RCS to users in over 100 countries.
🕵️♂️ Sophisticated Tactics: The platform used 20,000 domains mimicking brands, with phishing texts posing as toll fines or shipping notices, enhanced by RCS and iMessage to bypass anti-spam filters.
🔍 Investigative Findings: Research by NRK, Bayerischer Rundfunk, Le Monde, and Mnemonic identified 600 operators and Darcula’s creator, revealing its scale and ongoing evolution.
🛠️ Evolving Platform: By February 2025, Darcula v3 introduced auto-generated phishing kits, stealth features, and a credit card-to-virtual card converter, lowering the barrier for attackers.
🛡️ Defense Recommendations: Users should avoid clicking SMS links, verify sender legitimacy, and employ anti-phishing tools, while organizations need robust email and SMS filtering.
Linux Wiper Malware Targets Servers via Malicious Go Modules on GitHub
A supply-chain attack has deployed disk-wiping malware hidden in three Golang modules on GitHub, targeting Linux servers with obfuscated code that erases critical data. Detected in April 2025, this campaign underscores the growing threat to open-source ecosystems, urging developers to verify package authenticity.
Key takeaways:
🕵️♂️ Supply-Chain Attack Uncovered: Three malicious Go modules on GitHub, detected in April 2025, contained hidden disk-wiping malware targeting Linux servers, posing a severe threat to system integrity.
💾 Destructive Payload: The modules used obfuscated code to download scripts via ‘wget’, executing commands that overwrite /dev/sda, rendering Linux systems unbootable.
🌐 GitHub as Attack Vector: Hosted on GitHub, the modules masqueraded as legitimate tools, exploiting trust in the platform to deliver payloads, with repositories now removed.
🔍 Broader Ecosystem Risks: Similar attacks on npm and PyPI, targeting cryptocurrency wallets, highlight vulnerabilities in open-source repositories, necessitating rigorous dependency audits.
🛡️ Mitigation Strategies: Developers should verify package publishers, audit dependencies, enforce strict access controls, and use security tools to detect malicious code.
DragonForce Ransomware Gang Targets UK Retail in Profit-Driven Evolution
The DragonForce ransomware gang, once a pro-Palestinian hacktivist group, now targets UK retailers like Harrods and Marks & Spencer with multi-extortion attacks. Using a sophisticated RaaS model, they disrupt critical systems and demand ransoms via their RansomBay leak platform.
Key takeaways:
🐉 From Hacktivists to Extortionists: Emerging in 2023 as a Malaysian pro-Palestinian group, DragonForce has shifted to a profit-driven ransomware cartel targeting UK retailers, law firms, and medical practices.
🛍️ UK Retail Attacks: Recent attacks on Harrods, Marks & Spencer, and Co-op disrupted payment, inventory, and payroll systems, leveraging a white-label RaaS model for scalability.
🛠️ Advanced Toolset: DragonForce uses Conti v3-based ransomware with ChaCha8 encryption, deployed via phishing, credential stuffing, or exploits like Log4Shell, supported by tools like Cobalt Strike and SystemBC.
🔗 Affiliate Operations: Their affiliate panel allows tailored payloads, with some attacks linked to “The Com” collective, though attribution remains inconclusive.
🛡️ Defensive Recommendations: To counter DragonForce, organizations should implement MFA, patch vulnerabilities, monitor data exfiltration, and use EDR/XDR solutions.
Ransomware in 2025: RaaS Dominance and Evolving Extortion Tactics
Kaspersky’s 2024 ransomware report highlights the dominance of RaaS platforms like RansomHub and a 126% spike in public extortion cases. Attackers are targeting unconventional vulnerabilities, such as IoT devices, with NightSpire hitting Latin American logistics, signaling sophisticated threats in 2025.
Key takeaways:
💻 RaaS Fuels Proliferation: The Ransomware-as-a-Service model, led by platforms like Ransom offering malware and affiliate programs, lowered barriers for cybercriminals, driving the rise of new groups in 2024.
🌎 Global and Regional Trends: Latin America, especially Brazil and Chile, saw increased attacks, with NightSpire targeting logistics firm EmoTrans, while the CIS region experienced fewer incidents.
🕵️♂️ Group Dynamics: Despite disruptions like ALPHV/BlackCat’s takedown, groups like RansomHub and Play emerged, reusing tools from predecessors like BlackMatter, with RansomHub pausing operations by April 2025.
📈 Extortion Evolution: A 126% year-over-year increase in public extortion cases in Q1 2025, with groups like Akira exploiting webcams and IoT devices, signals a shift to stealthier, multi-extortion tactics.
🛡️ Defense Outlook: Organizations should patch vulnerabilities, monitor IoT and edge devices, and deploy advanced EDR solutions to counter precise attacks expected to intensify in 2025.
Top Tips of the Week
Threat Intelligence
- Recognize the importance of Cyber Threat Intelligence (CTI) in bolstering cybersecurity defenses. It’s a proactive strategy against evolving threats.
- Utilize threat intelligence for proactive threat hunting. Leverage intelligence to identify and neutralize threats before they escalate.
- Implement CTI in threat intelligence forums. Contribute insights, learn from peers, and stay updated on emerging trends.
- Validate threat intelligence regularly. Ensure the accuracy and relevance of information for informed cyber security decisions.
Threat Hunting
- Stay agile in cyber threat hunting. The threat landscape evolves; so should your strategy. Adaptability is key to effective cyber security.
- Share threat intelligence with industry-ISACs in cyber threat hunting. Contribute to collective defense efforts against sector-specific threats.
- Monitor insider threats in cyber threat hunting. Combine behavioral analytics with threat intelligence for a comprehensive approach.
Feature Article
In today’s complex cyber landscape, organizations face a critical challenge: determining which threats deserve their limited resources and attention. Threat profiling offers a systematic solution, cutting through the noise to identify and prioritize adversaries most likely to target your organization.
Rather than attempting to defend against everything, which is impossible, threat profiling helps you understand your real threats, how they operate, and where to focus your defenses. It transforms abstract threats into concrete profiles you can act on, shifting from reactive security to proactive defense.
This guide will walk you through the structured process of identifying, analyzing, and documenting the threats that matter most, empowering you to improve your security posture and resource allocation dramatically.
Learning Resources
Future-Proof Your Productivity: Tools & Tactics for 2025
Are you ready to upgrade how you work in 2025?
In this insightful live session, Francesco D’Alessio sits down with productivity expert Tiago Forte (author of Building a Second Brain) to break down the best productivity tools and systems available today—and how you can use them to gain a competitive edge in your personal and professional life.
Whether you’re an entrepreneur, cyber security practitioner, or student looking to stay ahead of the curve, this conversation offers a wealth of practical advice, app recommendations, and workflow strategies designed to help you work smarter, not harder.
Key Highlights Include:
- The top productivity apps worth using in 2025 (Notion, Tana, Reflect, and more!)
- How AI is reshaping productivity and knowledge management
- Why system thinking and personal knowledge management (PKM) are more essential than ever
- Actionable tips from two leading voices in digital productivity
It’s not just about tools—it’s about building a system that supports your goals and helps you stay organized, creative, and focused in a fast-paced world.
A Career in Cloud Security
Thinking about a career in cloud security? Or already in it and wondering how to level up?
This Fireside Chat with Kristoff Limpolair (founder of CYBR) is an absolute must-watch.
What this interview covers:
- From gaming clans to global startups – how Kristoff went from defacing websites to founding an elite cloud security platform
- Cloud security isn’t “just a data center in the sky” — learn what really makes it different
- Hands-on labs, not theory — deploy real AWS environments safely & free
- AI’s impact on SaaS and security — insight from RSA + practical advice for using it in training & operations
- How to land a job without experience — portfolios, GitHub projects & community are the new résumé
- Transferable skills across AWS, Azure & GCP — how to specialize, then branch out
- Actionable strategies for beginners, job seekers, and advanced practitioners alike
Ideal for aspiring cloud defenders, AWS/GCP/Azure learners, IT career changers, and hiring managers who want real talk from a real builder.
Is Your SOC Drowning in Alerts or Missing the Real Threats?
If you’re in security operations, you’ve probably faced it: the never-ending avalanche of alerts. But are we really asking the right questions about them?
In the latest Black Hills InfoSec webcast, Hal Pomeranz and Paul Asadoorian take a deep, insightful, and entertaining dive into one of the most underappreciated but critical areas of detection engineering: alert disposition.
Learn:
- What alert disposition actually means (and why it matters more than you think)
- The 7-phase detection lifecycle that keeps your security agile
- Why “true positive benign” is stirring up controversy in SOCs everywhere 🤯
- How to spot the difference between useful noise and harmful silence in your SIEM
- And yes, there are charts, sarcasm, and 3D printing tangents
Perfect for: SOC Analysts, Threat Hunters, Detection Engineers, CISOs, Blue Teamers, and Red Teamers who want to actually make detection work.
Strengthen Your Security Posture with Vectr!
In this insightful session, cyber security expert Carrie Roberts walks through Vectr, a robust open-source platform designed for adversary emulation. Whether you’re part of a red team, blue team, or purple team, Vectr empowers you to simulate real-world attack scenarios and evaluate your organization’s defenses with precision.
Carrie showcases how Vectr enables security pros to build structured test cases, measure defense effectiveness, and promote consistent security validation practices. You’ll see a hands-on demo covering everything from setting up a test plan to analyzing the outcomes—all using a clean, user-friendly interface.
Why it matters: Vectr doesn’t just streamline testing—it encourages collaboration, continuous improvement, and a proactive approach to security readiness. If you’re serious about modern threat emulation, this tool is a game-changer.
