This month’s cybersecurity highlights reveal a sharp rise in both human and technical threats. Retail giants were targeted by Scattered Spider’s sophisticated voice phishing campaigns, while Apple’s AirPlay protocol exposed millions of devices to silent, zero-click exploits. On the cybercrime front, major disruptions hit hard: the Lumma Stealer malware network was dismantled in a global takedown, and LockBit, one of the most notorious ransomware groups, suffered a breach of its own infrastructure.
Techniques
Service Desk Social Engineering
Scattered Spider, a hacker collective based in the United States and the United Kingdom recently carried out a series of high-profile attacks on four major retailers – Marks & Spencer, the Co-op, Harrods, and Dior. The group leveraged social engineering techniques such as voice phishing and number spoofing to target service desks, posing as legitimate employees. Using publicly available information, the group is able to craft convincing stories to gain access from service desk targets.
In April 2025, retail giant Marks & Spencer became a victim. The breach led to service disruptions in Marks & Spencer’s online services, including contactless payment and click-and-collect systems, and a loss of customer and employee data. Marks & Spencer chose not to pay the ransom and instead opted to rebuild their systems. This has resulted in prolonged operational downtime, with some systems not fully operational as of mid-May. Similar attack styles have recently impacted other large retailers with similar indicators of compromise, such as Harrods, Co-op and Dior. This highlights the need for all employees to regularly complete phishing training, with a push from security teams to raise awareness of this attack vector.
AirBorne – Apple AirPlay Zero-Click Remote Code Execution
Cybersecurity researchers at the Israeli based Oligo Security uncovered critical vulnerabilities in Apple’s AirPlay protocol, collectively dubbed AirBorne. These flaws affect Apple devices and millions of third-party products using the AirPlay Software Development Kit, which enables attackers to execute zero-click and one-click remote code execution (RCE) attacks.
These flaws mean an attacker on the same Wi-Fi network can silently compromise devices without any user interaction, making the exploit highly dangerous and wormable – capable of spreading itself across a network once a single device is infected. These vulnerabilities may enable a skilled attacker to bypass access controls, read arbitrary files, extract sensitive information and conduct man-in-the-middle attacks.
Apple rolled out patches for its ecosystem in late March 2025, but third-party vendors remain vulnerable unless they issue their own updates. The situation is exacerbated by the proprietary and often poorly documented nature of the AirPlay SDK, which many vendors integrate without the expertise to properly secure. As a result, millions of smart home and enterprise devices may still be at risk.
LeaKeePass – Trojanised KeePass
Researchers at WithSecure have identified a new KeePass attack campaign involving a malicious version of the popular open-source password manager, KeePass, which has been altered to include a hidden malware payload – Cobalt Strike. This compromised version of KeePass is offered as the legitimate application hosted on typosquated domains, leading users to unknowingly download and install it.
Once installed on the system, the trojanised KeePass installs the payload, giving attackers remote access to the victim’s machine and allowing attackers to maintain persistence, escalate privileges, and move laterally within networks, further compromising systems and stealing data. The malicious version of KeePass will also allow users to open a KeePass vault, and once decrypted will provide the vault to attackers in its entirety. The C2 communication and exfiltration uses standard web protocols, such as HTTPS in an attempt to blend in with regular web traffic and make the malicious activity harder to identify.
Happenings
[RU/Global] LockBit Taste Their Own Medicine
The LockBit ransomware group, one of the most prolific cybercrime syndicates operating a Ransomware-as-a-Service (RaaS) model, suffered a severe internal breach that exposed sensitive operational and organisational data. The breach was discovered after LockBit’s dark web affiliate panel was defaced with a message reading “Don’t do crime. CRIME IS BAD xoxo from Prague,” accompanied by a link to download a MySQL database dump. The database contained 20 tables revealing critical insights into the group’s infrastructure, including nearly 60,000 unique Bitcoin addresses linked to ransom payments, thousands of negotiation chat transcripts with victims, ransomware build information, and usernames and plaintext passwords of 75 administrators and affiliates. The breach exposed LockBit’s internal communication strategies, target preferences, ransom demands, and details of its affiliate network. The exposed data could significantly weaken LockBit’s RaaS model by eroding trust among affiliates and partners, as well as offering law enforcement agencies valuable intelligence to pursue prosecutions and dismantle the group’s infrastructure. This breach appears to have occurred in late April and was publicly reported by cybersecurity researchers and journalists by early May. Despite LockBit attempting to downplay the event and continue operations, the incident has cast doubt on the group’s security protocols and operational integrity, a common theme amongst persistent threat actors – in many cases they have worse operational security than their targets.
[Global] Lumma Stealer Takedown
A coordinated international operation led by Microsoft, the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Centre successfully disrupted the Lumma Stealer malware infrastructure. This version of the malware, also known as LummaC2, had infected nearly 400,000 Windows computers worldwide between March 16 and May 16, 2025, making it one of the most prevalent information-stealing threats during the short period, and one of the fastest and most widespread non-worm-based malware propagation events ever.
LummaC2 required users to be tricked into executing it, often via phishing or malicious ads. Reaching almost 400,000 infections in such a short time shows how effectively it was distributed and how vulnerable users still are to social engineering and drive-by download attacks.
Lumma Stealer is a malware-as-a-service (MaaS) tool developed by a Russian-speaking threat actor known as Shamel. It is marketed through Telegram and other platforms, offering customisable services for stealing sensitive data such as passwords, financial information, and cryptocurrency wallet credentials. The malware gained popularity due to its ease of use and effectiveness in bypassing security defences. The takedown involved seizing over 2,300 malicious domains and dismantling Lumma’s command-and-control infrastructure. Microsoft’s Digital Crimes Unit redirected more than 1,300 of these domains to secure Microsoft-controlled servers, effectively neutralising the malware’s ability to communicate with its operators.
[US] 5.5 Million Patient Records Stolen
Yale New Haven Health System (YNHHS) suffered a major data breach that affected approximately 5.5 million patients. YNHHS’s systems were breached by exploiting a vulnerability in an unpatched third-party software used for remote access. Once inside, the attackers moved laterally through the network, extracting large amounts of personal and sensitive data, including names, dates of birth, Social Security numbers, and medical record details. However, financial data and medical treatment records were not compromised.
The breach was detected when unusual network activity triggered an alert, and YNHHS took immediate action to isolate the affected systems, bring in cybersecurity experts, and notify law enforcement. Despite the severity of the attack, the hospital’s core medical services, including patient care and electronic health records, were not disrupted. Although affected individuals were notified and offered identity theft protection services, two federal class action lawsuits have been filed accusing YNHHS of negligence and breach of implied contract, claiming that YNHHS has not adequately provided relief for the damages the victims have suffered as a result of the breach.
[JP] Hitachi Ransomware Attack
Hitachi Vantara, a subsidiary of the Japanese conglomerate Hitachi, experienced a significant ransomware attack attributed to the Akira group that led to the disruption of internal systems and services, including those of Hitachi Vantara Manufacturing. Remote support services and certain manufacturing systems experienced significant disruptions, particularly those related to government projects, while customer facing cloud services and self-hosted customers remained unaffected.
The Akira group, known for employing double-extortion tactics, exfiltrated sensitive data from compromised systems and left ransom notes demanding payment. Since its emergence in 2023, Akira has targeted over 300 organisations globally, and the FBI has tracked Akira’s operations finding that the group has extorted nearly $50 million from various organisations. Hitachi Vantara has fully contained the incident but has yet to return to full functionality opting to prioritise rebuilding and securing infrastructure.