Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies – Cybersecurity News [August 25, 2025]

Cybersecurity threats are on the rise again this week. Hybrid cloud ransomware attacks are becoming more and more frequent. Intruders are now stealing vast amounts of data and wiping out backups without even using traditional malware. Also, government networks in Asia have been targeted in long-running data theft campaigns. On top of all that, a global wave of phishing is hitting people with new malware delivered through fake voicemails and purchase orders. In South Asia, some skilled attackers are expanding their threat space to target Linux systems. And if that’s not enough, a massive healthcare data breach has exposed the personal details of more than 600,000 individuals.

Targeting Hybrid Cloud Infrastructure, Ransomware on the Rise

A financially motivated hacking group, Storm-0501, has been ramping up its cloud-focused ransomware and extortion attacks since 2021. What makes them stand out, is that, they don’t use traditional ransomware to encrypt on-site systems. Instead, they target hybrid cloud environments, stealing vast amounts of data, wiping backups, and then demanding a ransom, all without ever deploying conventional malware.

According to Microsoft researchers, Storm-0501 uses stolen credentials and unpatched server flaws to move through networks and escalate its privileges. In one recent campaign, the attackers took advantage of Entra Connect servers to hijack a Global Admin account that wasn’t protected by Multifactor Authentication (MFA), giving them access to critical Azure resources. After stealing data and destroying cloud assets, they used Microsoft Teams to extort their victims. The group, known for its ties to Hive, BlackCat, and LockBit, continues to evolve as cloud adoption grows.

Government Networks Targeted in New Data Theft Campaigns

Researchers have recently linked a new cluster of threats called “ShadowSilk” to a series of attacks on government organizations in Central Asia and the Asia-Pacific region. Group-IB, a cybersecurity firm, has found nearly 30 victims so far, with most of these campaigns focused on stealing data. The group’s activities have a lot in common with past operations by other threat actors like YoroTrooper, SturgeonPhisher, and Silent Lynx. It’s a truly unique group because it is made up of cross-border operators working together.

To get in, ShadowSilk uses spear-phishing emails or takes advantage of known weaknesses in Drupal and WordPress sites. Once they’re in, they use special tools to hide their command-and-control traffic by using Telegram bots, making it harder to detect. After they’ve gained access, they use a whole bunch of different tools, including web shells and well-known penetration-testing frameworks like Cobalt Strike and Metasploit, to move around the network, get higher-level access, and steal data. They’re clearly still active, with new victims being found as recently as July, and researchers believe they pose a long-term risk for data theft, especially in the government sector.

New Phishing Campaign Hits Cross-Functional Companies Globally

There’s a new phishing campaign out there that’s using a malware loader called UpCrypter, and it’s been active since early August. This campaign is mainly hitting manufacturing, technology, healthcare, construction, and retail companies across Europe, South Asia, and North America. The attackers are using fake voicemail and purchase order emails to trick people into clicking on a link. Once a victim clicks, they’re sent to a fake page that looks very convincing because it embeds the company’s own logo. This page then prompts them to download a ZIP file containing a hidden JavaScript file.

This file secretly fetches remote access tools (RATs) like PureHVNC, DCRat, and Babylon RAT, which give the attackers complete control over the host endpoint. The malware is also tricky to detect because it uses layered obfuscation and runs directly in the computer’s memory to avoid being found by security software. This campaign is happening at the same time as another one that’s using Google Classroom to send over 115,000 fraudulent emails to more than 13,500 organizations. Attackers are also getting smarter by using trusted services like Microsoft 365 Direct Send and OneNote to bypass security measures, which is a tactic they call “living-off-trusted-sites”.

Advanced Threat Group Upgrades Tactics in South Asia

New cyberattacks from a group called Transparent Tribe (also known as APT36) are targeting South Asian government organizations once again. Still, this time they’re more keen towards attacking BOSS Linux as well as Windows systems. The attack starts with spear-phishing emails that look like typical meeting notices. When you open the malicious shortcut file attached, it secretly downloads a harmful program from the attackers while showing a fake PDF to keep you from getting suspicious.

This new Go-based malware is designed to stick around, using things like cron jobs to maintain a connection to a command server. The malware is linked to the group’s Poseidon backdoor, which helps them collect credentials, steal data, and keep long-term access. The campaign shows how much more advanced Transparent Tribe is getting, especially with its sub-cluster SideCopy, which keeps improving its phishing and malware delivery to work in different systems.

A Massive Data Breach Impacts Over 600,000 Patient’s PII

A North American Company that provides dining, environmental, and support services to healthcare facilities, has confirmed a significant data breach that exposed personal information of 624,496 people, including almost 4,000 residents of Maine. It works with more than 3,000 facilities across 48 states and employs about 45,000 staff. The issue was first shown to the SEC in October 2024, after some suspicious activities were found in the system. Investigators later determined that hackers had gained access between September 27 and October 24 and stolen files during that time.

In June 2025, the company confirmed that sensitive information was taken, including names, dates of birth, Social Security Numbers (SSN), Driver’s License and State ID numbers, and financial account details. Notification letters began going out to those affected on August 25, 2025 and the company started notifying those affected are being offered free credit monitoring and identity theft protection. The company stated that there is no proof of misuse of the data stolen, but one should stay vigilant and watch for any unusual activity and frequently monitor their accounts. The company stated that there is no significant impact on its financial status caused by the breach.