Cybercrime
,
Data Privacy
,
Data Security
Also: Signal Blocks Recall, Europe Sanctions Stark Industries
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, alleged Qakbot leader indicted in the United States, Signal blocked Windows Recall and a judge ruled that U.S President Donald Trump illegally removed privacy watchdogs. Also, Ivanti and Palo Alto zero day exploits linked to same threat actor, the European Union sanctioned Stark Industries, Marks and Spencer said its cybersecurity incident will cost 300 million pounds before insurance, pro-Ukraine hackers claimed a cyberattack on Russian clinic, and an outbreak of PureRAT in Russia.
See Also: How Linking Identity, Data Security Can Help Cyber Response
US Indicts Russian Man for Leading Qakbot Malware Operation
U.S. federal prosecutors indicted a Russian man for leading the Qakbot malware operation since its inception in 2008 as a banking Trojan. The man, Rustam Rafailevich Gallyamov, 48, has allegedly spread Qakbot as recently as January through social engineering. Prosecutors additionally moved Thursday to seize roughly $24 million worth of Gallyamov’s digital assets.
An international law enforcement operation dubbed “Duck Hunt” by the FBI dismantled the Qakbot – also known as Qbot – botnet in August 2023, seizing dozens of servers and nearly $9 million worth of cryptocurrency (see: Operation ‘Duck Hunt’ Dismantles Qakbot).
An indictment unsealed Thursday says Gallyamov never stopped carrying out cyberattacks, relying on alternative tactics such as “spam bomb” campaigns that flooded corporate inboxes with unwanted emails. Gallyamov and his con-conspirators posed as IT workers tasked with stopping the influx of emails, tricking victims into installing malware.
Qakbot began life as a banking Trojan but Gallyamov in 2019 switched the operation to focusing on ransomware attacks, working with groups including REvil, Conti and Black Basta. Prosecutors continued to pursue Gallyamov after Operation Duck Hunt, obtaining in April a seizure warrant for more than 30 bitcoin and $700,000 of USDT tokens investigators say Gallyamov bought with victim extortion payments. Prosecutors moved Thursday for a judge to declare the assets forfeited by Gallyamov, with prosecutors stating they’ll use the money to make victims whole.
Gallyamov would face up to 25 years in federal prison, if U.S. authorities are able to arrest him outside of Russia, which doesn’t cooperate with international extradition requests.
Signal Blocks Windows Recall from Capturing Chats by Default
Signal updated its Windows desktop app to automatically block Microsoft’s Recall feature from capturing screenshots of conversations on the chat app. The new “screen security” setting, enabled by default, uses a DRM flag to prevent content in Signal windows from being recorded by Recall or other apps.
Recall, introduced by Microsoft in May 2024, continuously screenshots active windows to create a searchable log using artificial intelligence. Microsoft later made the feature opt-in and added filters, encryption and anti-abuse protections.
Signal developer Joshua Lund said the app had “no other option” but to block Recall at the system level. Recall has continued to spark privacy and security concerns even after Microsoft rolled out additional protection features. Researcher Kevin Beaumont in April wrote that, contrary to Microsoft marketing, it appears that biometric credentials aren’t necessary to open Recall, only to set it up. Recall also captured payment card numbers, he wrote.
U.S. Federal Judge Rules Trump Illegally Removed Privacy Watchdogs
A U.S. federal judge ruled that President Donald Trump unlawfully removed two Democratic members of the Privacy and Civil Liberties Oversight Board, an independent body that oversees U.S. surveillance and counterterrorism programs. U.S. District for the District of Columbia Judge Reggie Walton found the firings of Travis LeBlanc and Ed Felten violated statutory protections meant to preserve the board’s independence.
Walton warned that unchecked presidential removals could undermine the board’s oversight role. The Department of Justice is expected to appeal, while the White House argued Trump had constitutional authority to dismiss officials exercising executive power.
The removals, alongside the scheduled exit of PCLOB Chair Sharon Bradford Franklin, had left the board without a quorum, stalling its oversight work.
Ivanti and Palo Alto Zero-Days Linked to Same Threat Actor
A threat actor exploiting two Ivanti zero-day vulnerabilities this month also targeted Palo Alto Networks firewalls last year, say researchers at Wiz. The Ivanti flaws – CVE-2025-4427″ target=”_blank”>CVE-2025-4427 and CVE-2025-4428– affect Ivanti Endpoint Manager Mobile and enable remote code execution when chained together. The attacks began around May 16, shortly after proof-of-concept exploits became publically available.
Wiz researchers found the same command-and-control IP address, 77.221.158.154, was used in both Ivanti and past Palo Alto attacks. The address is hosted by Aeza International, a Russian company linked to dark web activity and whose CEO was arrested last month in Moscow.
In both campaigns, hackers used the Sliver C2 framework and deployed similar malicious payloads. No ransomware or data exfiltration has been detected in the Ivanti attacks so far.
Although researchers couldn’t tie the threat actor to a known group or nation-state, the reuse of infrastructure and proof of concept code suggests opportunistic targeting of edge devices before patches are widely applied.
EU Sanctions Hosting Firm Stark Industries for Aiding Russian Cyber Ops
The European Union sanctioned web-hosting provider Stark Industries and its leaders, CEO Iurie Neculiti and owner Ivan Neculiti, for supporting Russian hybrid threats, including disinformation and cyberattacks. The U.K.-registered company is known for offering VPS services in Europe and the United States with cryptocurrency payment options. The European Union described the company and the executives as “enablers of various Russian state-sponsored and affiliated actors.”
Stark Industries gained notoriety for allegedly hosting infrastructure used in pro-Russian operations and cyberattacks. German nonprofit Correctiv linked the firm to disinformation and DDoS campaigns following its 2022 launch, just before Russia’s invasion of Ukraine.
The sanctions are part of a broader European crackdown targeting 21 individuals and six entities involved in Russian propaganda, espionage and sabotage. Media outlets like Voice of Europe, Turkish firm AFA Medya also face sanctions. So do two fishing companies, Norebo JSC and Murman Sea Food, “which are part of a Russia-state sponsored surveillance campaign that have conducted espionage missions and sabotage on critical infrastructure, including undersea cables,” the European Union said. Sanctioned parties face asset freezes, travel bans and restrictions on European financial access.
M&S Reports 300M Pound Loss Tied to Supplier Cyberattack
Marks & Spencer said a cyber incident that disrupted operations will cost it roughly 300 million pounds, “before cost mitigation, insurance and trading actions.” The breach caused major disruption to product availability, delaying shipments and impacting in-store stock levels during a critical trading period (see: Scattered Spider Linked to Marks & Spencer Hack).
M&S disclosed the financial impact in an annual report, stating the incident severely affected operational efficiency. “We are seeking to make the most of the opportunity to accelerate the pace of improvement of our technology transformation and have found new and innovative ways of working,” the retailer said.
Phishing Attack Evades Detection Using NPM and CDN
A phishing campaign targeting Microsoft Office 365 credentials uses a blend of techniquesto bypass detection, said cybersecurity firm Fortra. Spotted by its Suspicious Email Analysis team, the attack involves a linked .html file, AES encryption, a trusted content delivery network and a malicious npm package. Fortra said this is the first time all these methods have been combined in a single O365 attack. The layered approach enabled the phishing email to evade traditional security tools without relying on standard obfuscation tactics, making it difficult to detect.
Pro-Ukraine Hackers Claim Cyberattack on Russian Clinic
A suspected cyberattack shut down operations at Lecardo Clinic in Russia’s Chuvashia republic for three days this week. The private hospital blamed a “technical failure,” but authorities said on a Telegram channel that hackers targeted software managing patient records. Pro-Ukraine group 4B1D claimed responsibility, saying it accessed the network through the clinic director’s account, wiped servers, deleted backups, encrypted and exported data and disabled over 100 computers.
The group shared leaked files, including an X-ray and patient data, on Telegram and said it sold around 2,000 records on the dark web. Authorities suspect other clinics using the same software may also be affected. Local media reported security lapses and delayed reporting, prompting a prosecutor-led investigation.
PureRAT Malware Surge Hits Russian Businesses
A surge in phishing attacks delivering PureRAT malware has impacted Russian businesses since early 2025, say researchers at Kaspersky. The campaign, which began in March 2023, escalated in the first half of 2025, with attack volumes quadrupling compared to the same period in 2024. Kaspersky researchers attribute this spike to the growing popularity of PureRAT as a malware-as-a-service tool, available for purchase and deployment by virtually any threat actor.
The attackers primarily distribute PureRAT through spam emails containing malicious RAR archives or links to such files. These archives are disguised using familiar financial and administrative keywords such as “doc,” “akt,” “sverka,” “buh” and “oplata,” often with a double extension like “.pdf.rar” to trick users into executing them.
Once executed, the malware installs itself under the name task.exe in the user’s AppData directory and sets up persistence using a VBS script placed in the Windows Startup folder. It then initiates a complex infection chain involving multiple executables and modules, culminating in full system compromise.
Other Stories From Last Week
With reporting from Information Security Media Group’s Akshaya Ashokan in southern England and Greg Sirico in New Jersey.
