---
title: "Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News [March 03, 2025] | DuoCircle"
description: "Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/"
---

Quick Answer

Week ending March 3, 2025 covered: a New Era Life Insurance breach affecting 335,506 people after unauthorized access from December 9-18, 2024, with names, insurance IDs, birth dates, SSNs, and treatment data copied; Spamhaus reporting that bulletproof host Prospero OOO (linked to Securehost and BEARHOST) was routing traffic through Kaspersky's network, raising concerns even as Kaspersky denied a partnership and launched a review; fake BianLian ransom letters mailed via USPS to US C-suite executives demanding $250,000 to $500,000 in Bitcoin under threat of data leak, with no evidence of actual breach; the Eleven11bot IoT botnet infecting 86,000+ devices (US, UK, Mexico, Canada, Australia) for DDoS attacks reaching hundreds of millions of packets per second by exploiting weak credentials on Telnet and SSH; and Truffle Security finding 11,908 valid API keys and passwords (AWS root keys, MailChimp keys, Slack webhooks) hardcoded in the December 2024 Common Crawl archive used to train LLMs across 400 TB and 2.67 billion pages.

Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News \[March 03, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/03/Life-Insurance-Breach-Notorious-Malware-Identified-Fake-Ransom-Scam---Cybersecurity-News-March-03-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-11-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Life%20Insurance%20Breach%2C%20Notorious%20Malware%20Identified%2C%20Fake%20Ransom%20Scam%2C%20Cybersecurity%20News%20%5BMarch%2003%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-11-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-11-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-11-of-2025%2F&title=Life%20Insurance%20Breach%2C%20Notorious%20Malware%20Identified%2C%20Fake%20Ransom%20Scam%2C%20Cybersecurity%20News%20%5BMarch%2003%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Life%20Insurance%20Breach%2C%20Notorious%20Malware%20Identified%2C%20Fake%20Ransom%20Scam%2C%20Cybersecurity%20News%20%5BMarch%2003%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-11-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/03/sender-policy-framework-4532.jpg) 

Your wait is over as we’re back with **cybersecurity’s latest this week**! We’ll discuss about a data breach impacting policyholders of a significant insurance organization, a notorious malware spam host resurfacing under a new provider, a new scam targeting US executives using deceptive [postal mail](https://www.darkreading.com/threat-intelligence/bogus-bianlian-snail-mail-extortion-letters); experts recently uncovered a new botnet that is infecting thousands and a concerning discovery of [sensitive API keys](https://hackread.com/postman-workspaces-leak-api-keys-sensitive-tokens/) within AI training datasets. Let’s not wait further and dive in!

## Life Insurance Data Breach Exposes Information of 335,000 Individuals

According to recent news headlines, allegedly [New Era Life Insurance](https://www.hipaajournal.com/new-era-life-insurance-companies-data-breach/) organization was the victim of a data breach where the PHI ([Protected Health Information](https://cphs.berkeley.edu/hipaa/hipaa18.html)) of 335,506 people was put at risk. The branches of New Era Life Insurance Company that were affected include the Midwest branch of New Era, the **Philadelphia American Life Insurance Company**, and New Era Life Insurance Company, where the suspicious presence was detected earlier on, dated around 18 December 2024.

Even after swift action was taken to isolate affected systems, the engaged **third-party security experts** have confirmed unauthorized access occurring between 9th and 18th December 2024\. The [threat actors](/email-security/what-threat-actor-can-do-with-your-emails-without-password/) maliciously copied files from the organizational systems, including the data of agents, policyholders, and insurance carrier partners, especially names, insurance IDs, birth dates, [SSNs (Social Security Number](https://www.investopedia.com/terms/s/ssn.asp)[s)](https://www.investopedia.com/terms/s/ssn.asp), and treatment data.

[![malicious activity](https://media.mailhop.org/duocircle/images/2025/03/SMTP-server-mail-6341.jpg)](https://media.mailhop.org/duocircle/images/2025/03/SMTP-server-mail-6341.jpg)

If you were a part of this unfortunate [data breach](https://www.infosecurity-magazine.com/news/iot-data-breach-exposes-27-billion/), you will likely receive an individual notification letter, highlighting your exposed data, and complimentary credit monitoring and identity theft protection. Of course, New Era Insurance has made it clear that they have **implemented additional safeguards** to ensure that all systems are better protected and monitored, to avoid any such incidents in the future.

## Notorious Malware and Alleged Spam Host was Identified by Kaspersky Lab

This week, [Kaspersky Lab found itself at the center of a cybersecurity](https://tagteam.harvard.edu/hub%5Ffeeds/4281/feed%5Fitems/13246307?utm%5Fsource=chatgpt.com) controversy after researchers noticed that **Prospero OOO, a hosting provider**, notorious for sheltering cybercriminals, was routing its traffic through Kaspersky’s networks.

Prospero, linked to the bulletproof hosting services Securehost and BEARHOST, has long been a hub for malware operations, phishing schemes, and botnet controllers. The connection was flagged by [Spamhaus, an enterprise that tracks malware](https://www.spamhaus.org/) and spam sources, which reported that Prospero suddenly started using Kaspersky’s infrastructure for internet access. Obviously, the discovery raised immediate concerns, and Kaspersky denied any direct partnership with the provider, suggesting that the routing may have occurred through **third-party telecom** networks it works with. They also launched an internal review and say they are working to prevent their network from being misused.

Meanwhile, [cybersecurity](/) experts argue that whether Kaspersky is knowingly providing services to Prospero or not, its **infrastructure playing** any role in supporting a known cybercriminal host is problematic, given the fact that Kaspersky software has already been banned for sale in the US.

## Fake BianLian Ransom Notes Sent to US CEOs in Postal Mail Scam

The BianLian [ransomware](/resources/locky-ransomware) gang is allegedly being impersonated by scammers who have taken a liking to sending fake ransom notes to international organizations using [snail mail via the US Postal Service](https://www.guidepointsecurity.com/blog/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear/).

**Guidepoint Security** took the lead in [reporting these ransom notes](https://www.cisa.gov/news-events/alerts/2025/03/06/fbi-warns-data-extortion-scam-targeting-corporate-executives) that claim to be from the group and even have a return address pointing to an office in Boston, Massachusetts. The C-Suite needs to be aware of this cybersecurity news as they’re the prime targets of the scam and receive said ransom notes on their corporate mail addresses. A giveaway is that the mail is often stamped with the words, “TIME SENSITIVE, READ IMMEDIATELY,” to create a sense of urgency, and the letter is tailored to the target’s industry, informing them of the allegedly stolen data in relation to their specific activities. The emails follow a style similar to that of BianLian but state they’re no longer negotiating and threaten data leakage if a [ransom demand](https://www.bbc.com/news/technology-57719820) (typically between $250,000 and $500,000) is not paid to a Bitcoin address.

[![threat](https://media.mailhop.org/duocircle/images/2025/03/SPF-record-checker-9632.jpg)](https://media.mailhop.org/duocircle/images/2025/03/SPF-record-checker-9632.jpg)

Mitigating such threats is really easy because the solution is simply not succumbing to the demand in these extortions; the scammers use these emails to scare executives, and there have been no indications of an actual data breach occurring in any of the **email-receiving organizations**.

## Eleven11bot Botnet Compromises 86,000 Devices for DDoS Attacks

A new botnet malware also came to light this week-one that has already [infected over 86,000](https://www.cyber.nj.gov/Home/Components/News/News/1646/214) IoT (Internet of Things) devices for [DDoS attacks](https://www.cybersecuritydive.com/news/us-takedown-china-botnet/727501/).

**Security researchers report** that the botnet is being used for large-scale DDoS attacks, with telecommunication providers and online gaming servers among its primary victims. It has grown rapidly, with expert [Jérôme Meyer calling it one of the largest non-state actor](https://www.linkedin.com/posts/jeromemeyer%5Fnew-ddos-botnet-discovered-over-30000-hacked-activity-7301383140806119424-luty/) DDoS botnets seen in recent years.

According to The Shadowserver Foundation, most of these infected devices are located in the **US, U.K., Mexico, Canada, and Australia**, and the attacks have reached speeds of hundreds of millions of packets per second, sometimes lasting for days. Furthermore, GreyNoise and Censys have already identified 1,400 [IPs (Internet Protocols)](https://www.geeksforgeeks.org/what-is-internet-protocol-ip/) linked to the botnet.

Eleven11bot spreads by exploiting weak credentials, scanning networks for exposed Telnet and SSH ports, and using [brute-force attacks](https://www.scworld.com/news/next-level-brute-force-attack-uses-28-million-ips-to-target-vpns) on admin accounts. If you wish to stay safe against this threat, you should focus on changing default passwords, disabling remote access if unnecessary, and make sure the firmware is up to date. Since IoT devices often lack long-term support, regularly checking for **end-of-life status** and replacing outdated models is also important.

[![Brute Force Attacks](https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-3421.jpg)](https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-3421.jpg)

## AI Training Dataset Leaks Nearly 12,000 API Keys and Passwords

Researchers have uncovered [nearly 12,000 valid API keys and passwords](https://www.sisainfosec.com/weekly-threat-watch/thousands-of-api-keys-and-passwords-discovered-in-publicly-available-llm-training-data/) within the Common Crawl dataset, which is a **massive open-source web archive** widely used for [AI model training](https://appian.com/blog/acp/ai/how-does-ai-model-training-work).

This discovery raised concerns about [LLMs (Large Language Models)](https://www.ibm.com/think/topics/large-language-models) being trained on sensitive, hardcoded credentials, potentially exposing them to security risks. Many organizations and services like OpenAI, Google, Meta, and Anthropic rely on web-scraped datasets, making it challenging to filter out confidential data completely. The [security enterprise Truffle Security](https://trufflesecurity.com/blog/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data) scanned 400 terabytes of data from 2.67 billion web pages in Common Crawl’s December 2024 archive, finding 11,908 secrets that were still valid. Among them were AWS root keys, MailChimp API keys, and Slack webhooks, many of which were hardcoded into front-end HTML and JavaScript instead of being securely stored using **server-side environment** variables.

While AI datasets undergo pre-processing to remove sensitive information, filtering out all confidential data is nearly impossible. Attackers could exploit exposed keys for phishing, [brand impersonation](https://www.securityweek.com/fbi-recommends-ad-blockers-cybercriminals-impersonate-brands-search-engine-ads/), or data theft. That’s why, in response, **Truffle Security contacted** affected vendors, helping revoke or rotate thousands of compromised credentials.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 6m  Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]  Jan 5, 2026 ](/blog/announcements/cyber-security-news-update-week-1-of-2026/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News [March 03, 2025]","description":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/","datePublished":"2025-03-10T14:52:39.000Z","dateModified":"2025-04-08T13:49:13.000Z","dateCreated":"2025-03-10T14:52:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1094,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/sender-policy-framework-4532.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News [March 03, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News [March 03, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News [March 03, 2025]","description":"Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/","datePublished":"2025-03-10T14:52:39.000Z","dateModified":"2025-04-08T13:49:13.000Z","dateCreated":"2025-03-10T14:52:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-11-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1094,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/sender-policy-framework-4532.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```