---
title: "SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News [April 07, 2025] | DuoCircle"
description: "From crypto-mining malware hiding in Office tools to ransomware attacks shaking up ports and pension funds, this week’s cybersecurity bulletin has it all."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/"
---

Quick Answer

Cybersecurity stories from the week of April 7, 2025: Kaspersky uncovered a fake Microsoft Office add-in called 'officepackage' hosted on SourceForge that delivered a password-protected ZIP containing a large MSI installer. Once run, it installed Netcat, AutoIT, and persistence registry entries, then ran a crypto miner and a clipper that swaps wallet addresses, exfiltrating data via Telegram. The Clop ransomware group claimed a breach at Kellogg through a Cleo file-transfer vulnerability. The Port of Seattle and SEA Airport disclosed a Rhysida ransomware incident affecting roughly 90,000 people. Coverage also included WhatsApp on Windows vulnerabilities and pension-fund-targeting attacks, illustrating how attackers continue to hide payloads inside trusted distribution channels.

SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News \[April 07, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/04/SourceForge-Office-Malware-Kellogg-Clop-Breach-Seattle-Port-Ransomware---Cybersecurity-News-April-07-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-16-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=SourceForge%20Office%20Malware%2C%20Kellogg%20Clop%20Breach%2C%20Seattle%20Port%20Ransomware%2C%20Cybersecurity%20News%20%5BApril%2007%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-16-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-16-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-16-of-2025%2F&title=SourceForge%20Office%20Malware%2C%20Kellogg%20Clop%20Breach%2C%20Seattle%20Port%20Ransomware%2C%20Cybersecurity%20News%20%5BApril%2007%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=SourceForge%20Office%20Malware%2C%20Kellogg%20Clop%20Breach%2C%20Seattle%20Port%20Ransomware%2C%20Cybersecurity%20News%20%5BApril%2007%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-16-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/04/spf-validator-4643.jpg) 

From [crypto-mining malware](https://thehackernews.com/2024/05/redtail-crypto-mining-malware.html) hiding in Office tools to ransomware attacks shaking up ports and pension funds, this week’s [cybersecurity](/) bulletin has it all. Whether you use **WhatsApp on Windows** or manage your retirement savings online, these incidents are a reminder of how quickly threats evolve, and how easy it is to become a target.

## Malicious Microsoft Office Add-ins Distributed Through SourceForge

[Threat actors](/email-security/what-threat-actor-can-do-with-your-emails-without-password/) have been using SourceForge to spread fake Microsoft Office add-ins that install malware on victims’ systems with the goal to steal and mine cryptocurrency by hijacking their **system resources**.

SourceForge is a well-known platform for **hosting and sharing open-source software** with an open model allows anyone to publish projects, which can sometimes be misused. Of course, such abuse is uncommon, but [Kaspersky recently discovered](https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/) a malicious campaign using the site to deliver malware. The fake project, called “officepackage,” mimicked a real Microsoft tool and was made to look genuine. It showed up in search results for [Office add-ins](https://www.bleepingcomputer.com/news/security/fake-microsoft-office-add-in-tools-push-malware-via-sourceforge/) and was linked to a site hosted through SourceForge’s web hosting feature.

However, the download button led to a [password-protected ZIP file](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bart-ransomware-locks-files-in-password-protected-zip-files) with a **large MSI installer** designed to dodge antivirus scans. Once launched, the installer deployed scripts that checked for security software, created persistence through registry changes, and installed tools like Netcat and AutoIT. These helped run a crypto miner and a clipper to [hijack wallet addresses](https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-000-wallets-to-steal-cryptocurrency/). The attacker also used Telegram to send stolen data and deliver more malware if needed.

[![antivirus scans ](https://media.mailhop.org/duocircle/images/2025/04/spf-record-checker-7783.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-checker-7783.jpg)

The best way to avoid such attacks is to always download tools from **official or verified sources**. Avoid third-party websites, and make sure your antivirus software is active and up to date.

## WK Kellogg Reports Data Breach Tied to Clop Ransomware

 Food manufacturer [WK Kellogg Co has confirmed](https://mm.nh.gov/files/uploads/doj/remote-docs/wk-kellogg-20250404.pdf) that sensitive employee and vendor data was compromised during the widespread Cleo data theft _attacks in late 2024._

_They learned of the incident in February 2025 and immediately launched an investigation, contacting Cleo_. There was unauthorized access to the **organization’s file transfer servers** on 7 December 2024\. Said servers were used to transfer employee data to human resources vendors, and the threat actors made away with personal data including names and [SSNs (Social Security Numbers](https://www.investopedia.com/terms/s/ssn.asp)).

The flaws exploited in the attack ([CVE-2024-50623](https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623) and [CVE-2024-55956](https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956)) allowed the attackers to breach Cleo’s systems and steal information. Although they did not directly name the Clop ransomware group, the timeline aligns with Clop’s known activity. Moreover, WK Kellogg, which separated from Kellogg’s in 2023, earns $2.7 billion annually and was recently listed on **Clop’s extortion site**.

[![steal information](https://media.mailhop.org/duocircle/images/2025/04/spf-record-7783.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-7783.jpg)

All the affected individuals were offered one year of free identity monitoring and fraud protection from Kroll so you can claim it if you were affected. As an added measure, you **should monitor financial accounts**, place fraud alerts, and freeze credit files to prevent misuse.

## Ransomware Attack on Port of Seattle Affects 90,000 Individuals

The [Port of Seattle](https://www.portseattle.org/news/port-cyberattack-archive) is notifying around 90,000 people after a ransomware attack in August 2024 led to the theft of sensitive personal data. The breach affected key systems at **Seattle-Tacoma International Airport** and other services under the Port’s management.

The attack, attributed to the [Rhysida ransomware group](https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/), disrupted reservation systems, display boards, the Port website, and the flySEA app. Flights were delayed, and most normal operations were affected. _The Port confirmed Rhysida’s involvement three weeks after the incident and decided not to pay the ransom, despite threats that stolen data would be leaked_. The stolen data includes combinations of names, birth dates, **SSNs (or parts of them)**, driver’s license details, and some medical information. The breach impacted employee, contractor, and parking data, and the Port clarified that it holds little data on passengers and that payment systems were not compromised.

**On 3 April 2025**, the agency began sending out letters to those impacted and they have highlighted those operations with airlines, cruise lines, and federal agencies remained unaffected. If you were notified, look out for [suspicious account activity](https://www.msspalert.com/news/mssp-market-news-malicious-activity-spikes-after-crowdstrike-outage) and try placing fraud alerts.

[![sending out letters](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-7783.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-7783.jpg)

## Australian Pension Funds Targeted in Credential Stuffing Surge

Over the weekend, several **major Australian superannuation funds** were hit by a wave of credential-stuffing attacks.

Hackers used stolen login credentials to access member accounts, leaving thousands of people at risk and some facing financial losses. According to the [ASFA (Association of Superannuation Funds of Australia)](https://www.superannuation.asn.au/media-release/asfa-statement-on-attempted-cyber-security-breaches/), a number of accounts were breached, though most attacks were blocked.

_Major funds like AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial confirmed the breaches_. AustralianSuper also reported that at **least 600 member accounts** were accessed using stolen passwords and then locked the accounts quickly, informing the members. On the other hand, REST shut down its MemberAccess portal after detecting suspicious activity and said around 8,000 users had basic details exposed, though no funds were stolen.

Hostplus also confirmed no financial loss, but **Insignia Financial’s Expand Platform** saw around 100 accounts accessed through automated tools. Investigators haven’t found signs of fraud, though. HESTA and Mercer Super confirmed they were not impacted.

[![detecting suspicious activity](https://media.mailhop.org/duocircle/images/2025/04/sender-policy-framework-9982.jpg)](https://media.mailhop.org/duocircle/images/2025/04/sender-policy-framework-9982.jpg)

ASFA has launched a hotline and a security toolkit under its **Financial Crime Protection** Initiative to boost coordination across the sector. If you wish to stay protected against such attacks, do not reuse passwords, enable [multi-factor authentication](https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA), and keep your devices and apps up to date.

## Poisonseed Phishing Campaign Linked to Emails Containing Wallet Seed Phrases

There’s also a new [phishing campaign](https://hackread.com/ongoing-phishing-campaign-targets-employees/) called ‘PoisonSeed,’ targeting users of **popular cryptocurrency platforms** like Coinbase and Ledger. As more people explore options like [buying crypto with PayPal](https://paybis.com/buy-bitcoin-with-paypal/), it’s important to stay vigilant and verify sources before entering personal information.

The threat actors are using compromised corporate **email marketing accounts** to send fake emails that include malicious wallet seed phrases. According to [SilentPush](https://www.silentpush.com/blog/poisonseed/), the campaign operates by first identifying people who manage or have access to CRM and [bulk email](https://www.campaignmonitor.com/resources/glossary/bulk-email/) tools. These individuals are then tricked into clicking on phishing emails sent from spoofed addresses, leading to fake login pages designed to steal credentials.

[![Phishing Emails from Spoofed Addresses](https://media.mailhop.org/duocircle/images/2025/04/sender-policy-framework-3785.jpg)](https://media.mailhop.org/duocircle/images/2025/04/sender-policy-framework-3785.jpg)

Once they gain access, the threat actors export mailing lists and create new [API keys](https://www.fortinet.com/resources/cyberglossary/api-key) to maintain control over the account. They then use these compromised accounts, from platforms like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho to send crypto-themed phishing emails, stating that the platform is moving to **self-custodial wallets**. _The email includes a wallet seed phrase and instructs users to enter it into a new wallet. But when people transfer their crypto into it, they lose access and the funds are stolen_.

**Legitimate platforms** do not send seed phrases so always log in directly through the official website to verify any alert or request. Do keep an eye out for [phishing emails](/content/phishing-prevention/phishing-email) and never click on unsolicited links.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 6m  Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]  Jan 5, 2026 ](/blog/announcements/cyber-security-news-update-week-1-of-2026/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News [April 07, 2025]","description":"From crypto-mining malware hiding in Office tools to ransomware attacks shaking up ports and pension funds, this week’s cybersecurity bulletin has it all.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/","datePublished":"2025-04-15T14:31:14.000Z","dateModified":"2025-06-17T14:19:26.000Z","dateCreated":"2025-04-15T14:31:14.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1123,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-validator-4643.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News [April 07, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News [April 07, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware, Cybersecurity News [April 07, 2025]","description":"From crypto-mining malware hiding in Office tools to ransomware attacks shaking up ports and pension funds, this week’s cybersecurity bulletin has it all.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/","datePublished":"2025-04-15T14:31:14.000Z","dateModified":"2025-06-17T14:19:26.000Z","dateCreated":"2025-04-15T14:31:14.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-16-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1123,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-validator-4643.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```