---
title: "Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25, 2025] | DuoCircle"
description: "Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/"
---

Quick Answer

Cybersecurity headlines for the week of August 25, 2025\. Hybrid-cloud ransomware attacks are increasing, with intruders exfiltrating large data volumes and wiping backups without deploying traditional encryptor binaries. Long-running data theft campaigns hit government networks across South and Southeast Asia. A global phishing campaign tracked as UpCrypter uses fake voicemail and purchase order lures to deliver remote access trojans, hitting multiple sectors. A South Asian APT group expanded its toolkit to target Linux systems alongside Windows. A US healthcare data breach exposed personal information for more than 600,000 patients, illustrating the continued exposure of medical providers.

Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News \[August 25, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/09/Ransomware-Hits-Hybrid-Data-Theft-Campaigns-Phishing-Targets-Companies---Cybersecurity-News-August-25-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-36-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Ransomware%20Hits%20Hybrid%2C%20Data%20Theft%20Campaigns%2C%20Phishing%20Targets%20Companies%2C%20Cybersecurity%20News%20%5BAugust%2025%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-36-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-36-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-36-of-2025%2F&title=Ransomware%20Hits%20Hybrid%2C%20Data%20Theft%20Campaigns%2C%20Phishing%20Targets%20Companies%2C%20Cybersecurity%20News%20%5BAugust%2025%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Ransomware%20Hits%20Hybrid%2C%20Data%20Theft%20Campaigns%2C%20Phishing%20Targets%20Companies%2C%20Cybersecurity%20News%20%5BAugust%2025%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-36-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/09/dmarc-reporting-service-3456.jpg) 

[Cybersecurity](/) threats are on the rise again this week. Hybrid cloud ransomware attacks are becoming more and more frequent. Intruders are now stealing vast amounts of data and wiping out backups without even using traditional malware. Also, **government networks in Asia** have been targeted in long-running data theft campaigns. On top of all that, a global wave of phishing is hitting people with new malware delivered through [fake voicemails](https://thehackernews.com/2025/08/phishing-campaign-uses-upcrypter-in.html) and purchase orders. In South Asia, some skilled attackers are expanding their threat space to target Linux systems. And if that’s not enough, a massive healthcare data breach has exposed the personal details of more than 600,000 individuals.

## Targeting Hybrid Cloud Infrastructure, Ransomware on the Rise

_A financially motivated hacking group, Storm-0501, has been ramping up its cloud-focused ransomware and extortion attacks since 2021_. What makes them stand out, is that, they don’t use traditional ransomware to **encrypt on-site systems**. Instead, they target hybrid cloud environments, stealing vast amounts of data, wiping backups, and then demanding a ransom, all without ever deploying conventional malware.

According to [Microsoft researchers, Storm-0501](https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/) uses stolen credentials and unpatched server flaws to move through networks and escalate its privileges. In one recent campaign, the attackers took advantage of [Entra Connect](https://learn.microsoft.com/en-gb/entra/fundamentals/whats-new#general-availability---restricted-permissions-on-directory-synchronization-accounts-dsa-role-in-microsoft-entra-connect-sync-and-microsoft-entra-cloud-sync) servers to hijack a Global Admin account that wasn’t protected by [Multifactor Authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa), giving them access to critical Azure resources. After stealing data and destroying cloud assets, they **used Microsoft Teams** to extort their victims. _The group, known for its ties to Hive, BlackCat, and LockBit, continues to evolve as cloud adoption grows_.

[![malware](https://media.mailhop.org/duocircle/images/2025/09/spf-record-7732.jpg)](https://media.mailhop.org/duocircle/images/2025/09/spf-record-7732.jpg)

## Government Networks Targeted in New Data Theft Campaigns

_Researchers have recently linked a new cluster of threats called “ShadowSilk” to a series of attacks on government organizations in Central Asia and the Asia-Pacific region_. Group-IB, a cybersecurity firm, has found nearly 30 victims so far, with most of these campaigns focused on stealing data. The group’s activities have a lot in common with past operations by other [threat actors](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) like [YoroTrooper](https://blog.talosintelligence.com/attributing-yorotrooper/), [SturgeonPhisher](https://www.eset.com/au/about/newsroom/press-releases1/malware/eset-apt-activity-report-attacks-by-china-north-korea-and-iran-aligned-threat-actors-russia-eyes-ukraine-and-the-eu0/), and [Silent Lynx](https://www.virusbulletin.com/conference/vb2025/abstracts/silent-lynx-uncovering-cyber-espionage-campaign-central-asia/). It’s a truly unique group because it is made up of cross-border operators working together.

To get in, [ShadowSilk uses spear-phishing emails](https://www.group-ib.com/blog/shadowsilk/) or takes advantage of known weaknesses in **Drupal and WordPress sites**. Once they’re in, they use special tools to hide their command-and-control traffic by using Telegram bots, making it harder to detect. After they’ve gained access, they use a whole bunch of different tools, including web shells and well-known penetration-testing frameworks like Cobalt Strike and Metasploit, to move around the network, get higher-level access, and steal data. They’re clearly still active, with new victims being found as recently as July, and researchers believe they pose a long-term risk for data theft, especially in the government sector.

[![attack](https://media.mailhop.org/duocircle/images/2025/09/spf-record-check-7734.jpg)](https://media.mailhop.org/duocircle/images/2025/09/spf-record-check-7734.jpg)

## New Phishing Campaign Hits Cross-Functional Companies Globally

There’s a new phishing campaign out there that’s using a [malware loader called UpCrypter](https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter), and it’s been active since early August. This campaign is mainly hitting manufacturing, technology, healthcare, construction, and retail companies across **Europe, South Asia, and North America**. The attackers are using fake voicemail and purchase order emails to trick people into clicking on a link. Once a victim clicks, they’re sent to a fake page that looks very convincing because it embeds the company’s own logo. This page then prompts them to download a ZIP file containing a hidden JavaScript file.

This file secretly fetches [remote access tools (RATs)](https://www.malwarebytes.com/blog/threats/remote-access-trojan-rat) like **PureHVNC, DCRat, and Babylon RAT**, which give the attackers complete control over the host endpoint. The malware is also tricky to detect because it uses layered obfuscation and runs directly in the computer’s memory to avoid being found by security software. This campaign is happening at the same time as another one that’s using Google Classroom to send over 115,000 fraudulent emails to more than 13,500 organizations. Attackers are also getting smarter by using trusted services like [Microsoft 365 Direct Send](https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865) and OneNote to bypass security measures, which is a tactic they call “living-off-trusted-sites”.

[![Malicious Shortcut File Threats](https://media.mailhop.org/duocircle/images/2025/09/spf-record-generator-5674.jpg)](https://media.mailhop.org/duocircle/images/2025/09/spf-record-generator-5674.jpg)

## Advanced Threat Group Upgrades Tactics in South Asia

New cyberattacks from a group called [Transparent Tribe (also known as APT36)](https://www.cloudsek.com/blog/investigation-report-apt36-malware-campaign-using-desktop-entry-files-and-google-drive-payload-delivery) are targeting South Asian government organizations once again. Still, this time they’re more keen towards attacking BOSS Linux as well as Windows systems. The attack starts with [spear-phishing emails](/content/spear-phishing-protection/spear-phishing-examples) that look like typical meeting notices. _When you open the malicious shortcut file attached, it secretly downloads a harmful program from the attackers while showing a fake PDF to keep you from getting suspicious_.

This new [Go-based malware](https://thehackernews.com/2025/05/go-based-malware-deploys-xmrig-miner-on.html) is designed to stick around, using things like cron jobs to maintain a connection to a command server. The malware is linked to the group’s Poseidon backdoor, which helps them collect credentials, steal data, and keep long-term access. The campaign shows how much more **advanced Transparent Tribe** is getting, especially with its [sub-cluster SideCopy,](https://hunt.io/blog/apt-sidewinder-netlify-government-phishing) which keeps improving its phishing and malware delivery to work in different systems.

[![data breach](https://media.mailhop.org/duocircle/images/2025/09/spf-record-tester-7732.jpg)](https://media.mailhop.org/duocircle/images/2025/09/spf-record-tester-7732.jpg)

## A Massive Data Breach Impacts Over 600,000 Patient’s PII

A **North American Company** that provides dining, environmental, and support services to healthcare facilities, has [confirmed a significant data breach](https://www.hipaajournal.com/healthcare-services-group-data-breach/) that exposed personal information of 624,496 people, including almost 4,000 residents of Maine. It works with more than 3,000 facilities across 48 states and employs about 45,000 staff. The issue was first shown to the SEC in October 2024, after some suspicious activities were found in the system. Investigators later determined that hackers had gained access between September 27 and October 24 and stolen files during that time.

In June 2025, the company confirmed that sensitive information was taken, including names, dates of birth, [Social Security Numbers (SSN)](https://www.investopedia.com/terms/s/ssn.asp), Driver’s License and State ID numbers, and financial account details. Notification letters began going out to those affected on **August 25, 2025** and the company started notifying those affected are being offered free credit monitoring and identity theft protection. _The company stated that there is no proof of misuse of the data stolen, but one should stay vigilant and watch for any unusual activity and frequently monitor their accounts_. The company stated that there is no significant impact on its financial status caused by the breach.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 6m  Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]  Jan 5, 2026 ](/blog/announcements/cyber-security-news-update-week-1-of-2026/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25, 2025]","description":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/","datePublished":"2025-09-01T17:21:56.000Z","dateModified":"2025-09-01T17:25:42.000Z","dateCreated":"2025-09-01T17:21:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1030,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/09/dmarc-reporting-service-3456.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25, 2025]","description":"Ransomware Hits Hybrid, Data Theft Campaigns, Phishing Targets Companies, Cybersecurity News [August 25.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/","datePublished":"2025-09-01T17:21:56.000Z","dateModified":"2025-09-01T17:25:42.000Z","dateCreated":"2025-09-01T17:21:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-36-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1030,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/09/dmarc-reporting-service-3456.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```