---
title: "RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News [March 24, 2025] | DuoCircle"
description: "RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks, Cybersecurity News [March 24."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/"
---

Quick Answer

Week ending March 24, 2025 covered: the RedCurl espionage group pivoting to ransomware with QWCrypt against Hyper-V virtual machines, delivered via phishing .IMG attachments that abuse a signed Adobe executable for DLL side-loading; a Browser-in-the-Browser phishing campaign against Counter-Strike 2 players promoted on YouTube with fake CS2 loot, where the popup login window cannot be moved or resized and credentials are resold on grey-market sites; an FBI Denver warning about fake online file-converter sites delivering RATs and Gootloader (some leading to ransomware), with names that swap a single letter or change 'CO' to 'INC' to imitate real services; the cross-platform VanHelsing ransomware (C++, ChaCha20 encryption) hitting Windows, ARM, BSD, Linux, and ESXi since March 16, demanding $500,000 with 80/20 affiliate splits and three victims listed; and ReversingLabs finding two malicious npm packages, ethers-provider2 and ethers-providerz, that patch the legitimate ethers package's provider-jsonrpc.js to install a persistent reverse-shell backdoor via a modified ssh2 client.

RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News \[March 24, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/04/RedCurl-Ransomware-Targets-CS2-Steam-Phishing-Fake-Converter-Cyberattacks---Cybersecurity-News-March-24-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-14-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=RedCurl%20Ransomware%20Targets%2C%20CS2%20Steam%20Phishing%2C%20Fake%20Converter%20Cyberattacks%20%2C%20Cybersecurity%20News%20%5BMarch%2024%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-14-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-14-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-14-of-2025%2F&title=RedCurl%20Ransomware%20Targets%2C%20CS2%20Steam%20Phishing%2C%20Fake%20Converter%20Cyberattacks%20%2C%20Cybersecurity%20News%20%5BMarch%2024%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=RedCurl%20Ransomware%20Targets%2C%20CS2%20Steam%20Phishing%2C%20Fake%20Converter%20Cyberattacks%20%2C%20Cybersecurity%20News%20%5BMarch%2024%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-14-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5621.jpg) 

From hackers targeting Hyper-V servers to fake file converters spreading malware, there’s plenty to watch out for. There’s also news of [Counter-Strike 2](https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attacks-target-cs2-players-steam-accounts/) players being tricked into handing over their Steam accounts, and a new ransomware strain is hitting multiple operating systems at once. Even npm packages aren’t safe, with attackers sneaking in backdoors through **open-source libraries**. Stay ahead of these risks with our latest [cybersecurity](/) bulletin, because knowing what’s out there is the first step to staying secure.

## RedCurl Hackers Develop Ransomware to Encrypt Hyper-V Servers

Let us begin with the shift in tactics of the [RedCurl](https://www.halcyon.ai/blog/threat-actor-redcurl-develops-ransomware-to-encrypt-hyper-v-servers) cyberespionage group. The threat actors are now **encrypting Hyper-V virtual machines** using a newly developed ransomware variant called “QWCrypt.”

The new tactics were analysed and shared by researchers at [Bitdefender](https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive), who say that RedCurl’s attacks begin with phishing emails containing malicious “.IMG” attachments (often disguised as resumes). These files exploit [DLL (Dynamic Link Library)](https://www.techtarget.com/searchwindowsserver/definition/dynamic-link-library-DLL) sideloading vulnerabilities using a legitimate Adobe executable, which then downloads the necessary payload and establishes persistence on the compromised system. They’re trying “**living-off-the-land**” techniques using built-in Windows tools to evade detection and leveraging custom scripts/tunnelling tools for lateral movement.

Bitdefender continues to monitor the threat landscape and is expected to release specific countermeasures following a thorough investigation. For the time being, organisations should implement strong [email security](/content/email-security-services) measures to filter out [phishing attempts](https://www.utilitydive.com/news/utilities-on-high-alert-as-phishing-attempts-cyber-probing-spike-related-t/573698/) and restrict the execution of unverified files. Regularly updating and patching systems, segmenting network access, and using **behaviour-based detection tools** will also go a long way.

[![phishing attempts](https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-4456.jpg)](/announcements/cyber-security-news-update-week-14-of-2025/attachment/tiny-hacker-character-with-rods-phishing-personal-data-in-huge-laptop-via-internet-email-spoofing-or-fishing-messages)

## Browser-in-the-Browser Attacks Put CS2 Players’ Steam Accounts At Risk

A new phishing campaign is going after Counter-Strike 2 (CS2) players using a deceptive technique called Browser-in-the-Browser (BitB) attacks.

The threat actors behind this alleged campaign are creating [fake Steam login popups](https://www.forbes.com/sites/daveywinder/2025/03/26/hacking-gamers-first-person-shooters-targeted-by-new-browser-attack/) that look almost identical to the real thing. The end goal? Steal valuable Steam accounts filled with in-game skins and items, which are then resold for significant amounts of money. **Security researchers** at [Silent Push](https://www.silentpush.com/blog/browser-in-the-browser-attacks/) discovered that the phishing campaign is primarily spreading through YouTube videos and other promotional channels. _Victims are lured in with offers of free CS2 loot cases containing skins, an attractive bait for dedicated players_.

Players are asked to enter their [Steam login information](https://www.infosecurity-magazine.com/news/hackers-steal-steam-logins-bitb/) when they arrive at the phishing website, which is where the BitB attack is used. Any credentials entered in this phony login window are transmitted straight to the attackers, who resell them on **grey market websites**. The [fake window replicates](https://www.yahoo.com/news/years-long-scam-began-fake-161738176.html?guccounter=1&guce%5Freferrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce%5Freferrer%5Fsig=AQAAAM2%5FHlSsWzxwKBl6RKdi09Ve9H3IDi7XGs5QQILO60dsKU8DikUXLlTald%5FbaQhJnarzqNa4rHWuqyopQpmOVJ1573ynCOFS7jDBPyP73YWlsO8ZRYGyAOxezQNQbTU6pDxrNIBn75hhHzYTNOy564x3kNHw0Qhmvqkhtj143s4G) the actual Steam interface, including the URL bar.

You should never enter login credentials on a popup window before **verifying its authenticity**. Check if you can resize or move the window, fake BitB popups usually cannot be adjusted.

## FBI Alerts Public to Cyberattacks via Fake Document Converter Sites

The [FBI issued a warning](https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam) where they shared how threat actors are using fake online document converters to steal sensitive information and distribute malware.

These [fraud websites](https://www.forbes.com/sites/zakdoffman/2025/03/27/fbi-warns-chrome-edge-safari-users-check-this-to-stop-attacks/) offer free file conversion services (like changing a **Word document into a PDF**) but infect people’s devices with malware or extract personal information from the documents they upload. The [threat actors](/email-security/what-threat-actor-can-do-with-your-emails-without-password/) make the names of these websites similar to real ones. Sometimes, they change just a single letter or add terms like “INC” instead of “CO” to appear genuine.

When you upload a **file for conversion**, the resulting download contains hidden malware like [RATs (Remote Access Trojans)](https://www.malwarebytes.com/blog/threats/remote-access-trojan-rat) or loaders like the Gootloader. _Some of these attacks have even led to ransomware infections where threat actors gain access to organisational networks and encrypted data_. [Meta platform X](https://x.com/bushidotoken/status/1900608179760693664?s=61&t=hwS5xcISslT5UvqlKf-9Wg) and [Malwarebytes](https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware?cjdata=MXxZfFl8WXww&c=cj&k=14452255&utm%5Fsource=cj&utm%5Fmedium=aff&utm%5Fcontent=14452255&utm%5Fcampaign=AFF-CJ%5F4829349&tracking=cj&x-wts=cj&x-affid=4829349&ADDITIONAL%5FAFFID=cj-4829349&cjevent=889d3f4603c211f0839000320a18b8f8&clickid=889d3f4603c211f0839000320a18b8f8&pid=cj%5Fint) online platform have recently published some examples of domains involved in this type of scam.

Many people rely on such tools for quick fixes and getting work done faster, so they need to be cautious! It’s best to stick to **well-known, reputable services** and always verify a website before uploading any sensitive documents. If you suspect you’ve encountered a fraudulent converter, report it to the [FBI’s IC3](https://www.ic3.gov/) (Internet Crime Complaint Center).

## VanHelsing Ransomware Strikes Windows, ARM, and ESXi Systems

There’s also a [new ransomware](https://www.halcyon.ai/blog/cross-platform-vanhelsing-ransomware-targets-windows-linux-and-vmware-esxi) that’s been causing all sorts of harm to operating systems, including Windows, Linux, BSD, ARM, and ESXi.

Security researchers from [CYFIRMA](https://www.cyfirma.com/research/vanhelsing-ransomware/) and [Check Point](https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/) Research have been analysing the group’s methods, uncovering how the malware is built and deployed. The affiliates using the ransomware keep 80% of the payments and the **operators take a 20% cut**, with all transactions secured via blockchain-based escrow. _The attackers have already listed three victims on their dark web extortion portal-a Texas city and two tech firms. They demand a ransom of $500,000, and threaten to leak the stolen data if payment isn’t made_.

The malware is written in C++ and first appeared in active attacks on 16 March. It encrypts files using the **ChaCha20 algorithm**, generating unique [encryption keys](https://www.webopedia.com/definitions/encryption-key/) for each file. What makes it especially dangerous is the stealth mode it offers that allows the threat actors to divide the encryption and renaming tasks, making it that much harder for security software to detect.

[![Encryption Keys](https://media.mailhop.org/duocircle/images/2025/04/dmarc-report-6483.jpg)](https://media.mailhop.org/duocircle/images/2025/04/dmarc-report-6483.jpg)

So, how do you keep this threat at bay? By keeping operating systems and software up to date, regularly backing up important data, and using **advanced endpoint protection**.

## Malicious npm Packages Inject Persistent Backdoor in Legitimate Software

This week, **security researchers** uncovered two malicious packages hosted on [npm repository](https://github.com/npm), [“ethers-provider2”](https://secure.software/npm/packages/ethers-provider2/1.18.0) and “[ethers-providerz](https://secure.software/npm/packages/ethers-providerz?%5Fgl=1%2A136mjy3%2A%5Fgcl%5Fau%2AMTgxODQ0MjgyNC4xNzQzMDcxMDc2) ,” which stealthily modify locally installed software to embed a persistent reverse shell backdoor.

It was lucky that [ReversingLabs identified](https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell) this during a routine security investigation into the open-source supply chain. The “**ethers-provider2**” package leverages the widely used “ssh2” but modifies its installation script (“install.js”) to fetch and execute a second-stage payload. Then, this payload searches for the legitimate “ethers” package and replaces its “provider-jsonrpc.js” file with a trojanised version.

_Using a modified SSH client, the modified file creates a persistent reverse shell and then retrieves a third-stage payload from an external server_. The “ethers-providerz” package uses a similar tactic, focusing on the “@ethersproject/providers” package. Early versions of the package had implementation errors preventing full execution, but the author has since removed it from npm, potentially with plans to **reintroduce a functional version**. Additionally, two other [suspicious packages](https://www.infosecurity-magazine.com/news/malicious-npm-packages-deliver/), ”reproduction-hardhat” and “@theoretical123/providers”, appear to be linked to the same campaign.

## Topics

cyber securityemail securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 4m  Cambodia Targets Cybercriminals, Traditional Security Insufficient, AI Against Phishing, Cybersecurity News \[March 09, 2026\]  Mar 16, 2026 ](/blog/announcements/cyber-security-news-update-week-11-of-2026/)[  News 6m  Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News \[March 10, 2025\]  Mar 17, 2025 ](/blog/announcements/cyber-security-news-update-week-12-of-2025/)[  News 5m  Essential Check Secures, Prevention Beats Recovery, Treasury Cyber Breach- Cybersecurity News \[December 30, 2024\]  Jan 6, 2025 ](/blog/announcements/cyber-security-news-update-week-2-of-2025/)[  News 6m  Ransomware EDR Bypass, Apache Parquet Exposure, CISA Oil Threats, Cybersecurity News \[May 05, 2025\]  May 13, 2025 ](/blog/announcements/cyber-security-news-update-week-20-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News [March 24, 2025]","description":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks, Cybersecurity News [March 24.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/","datePublished":"2025-04-01T15:07:59.000Z","dateModified":"2025-04-07T19:23:07.000Z","dateCreated":"2025-04-01T15:07:59.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/"},"articleSection":"announcements","keywords":"cyber security, email security, News, Security, Updates","wordCount":1052,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5621.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News [March 24, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News [March 24, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News [March 24, 2025]","description":"RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks, Cybersecurity News [March 24.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/","datePublished":"2025-04-01T15:07:59.000Z","dateModified":"2025-04-07T19:23:07.000Z","dateCreated":"2025-04-01T15:07:59.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-14-of-2025/"},"articleSection":"announcements","keywords":"cyber security, email security, News, Security, Updates","wordCount":1052,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5621.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```