April brought sweeping shifts in cybersecurity, from deep workforce changes to evolving ransomware tactics, all while the European grid faced extraordinary disruption.
As new vulnerabilities emerge and geopolitical tensions persist, attackers are testing boundaries – and defenders are racing to catch up.
Cybercrime Breaking News
- M&S pauses all online shopping after a cyber attack shutters warehouses and tanks shares – how did it escalate so quickly?
- DragonForce rebrands as a ransomware cartel – could letting hackers create their own “brands” become the new norm?
- North Korea’s developer scam pivots to Europe – fake résumés, blockchain projects, and targeted extortion feed the regime’s wallet.
Cybersecurity Justice & Regulation
- The EU unveils ProtectEU – will giving Europol FBI-like powers reshape law enforcement’s reach into encrypted spaces?
- The U.S. joins the Pall Mall pact – will 22 countries finally hold spyware vendors accountable?
- A $6.9M settlement after a ransomware attack on airport retailer Paradise – is legal pressure becoming the new breach cost?
Read on to explore April’s most critical developments in cybersecurity, crime, and digital policy.
Cybercrime Breaking News
The Cybersecurity and Infrastructure Security Agency (CISA) is preparing for workforce reductions that could affect up to 1,300 employees, including significant cuts to its National Risk Management Center. The Trump administration recently dismissed NSA Director Gen. Timothy Haugh and Deputy Director Wendy Noble, with Lt. Gen. William Hartman appointed as acting lead for both NSA and Cyber Command. MITRE’s contract to operate the CVE vulnerability catalog was set to expire, but has been extended for 11 months following confirmation from CISA. The CVE program, used globally to track cybersecurity flaws, will continue operations under the renewed contract until at least March 2026.
Ransomware groups DragonForce and Anubis are experimenting with new business models to attract more affiliates and increase profits, according to cybersecurity experts. DragonForce has shifted to a distributed “cartel” structure allowing affiliates to use its infrastructure without its ransomware, while Anubis offers three monetization options (encryption, data extortion, and access resale) paired with aggressive tactics like notifying regulators to pressure victims into paying.
U.S., Australia, Canada, and New Zealand warn that ransomware gangs and Russian hackers are increasingly using fast flux – a technique that rapidly rotates DNS records to mask the true location of malicious servers. This tactic helps cybercriminals evade detection, maintain botnets, and keep phishing and ransomware operations resilient and hard to disrupt.
After U.S. crackdowns, North Korea’s IT worker scam has shifted its focus to Europe, with operatives posing as remote developers across Germany, Portugal, and the UK – even targeting defense and government sectors. Google’s Threat Intelligence Group uncovered elaborate schemes involving fake identities, blockchain projects, and extortion tactics to funnel revenue back to the regime.
CISA has issued a warning about potential data breaches stemming from a January incident involving legacy Oracle systems, where hackers accessed and leaked credentials tied to over 140,000 tenants across various industries. While Oracle maintains that its core cloud infrastructure was not breached, investigators confirmed stolen usernames, encrypted passwords, and other sensitive materials are being circulated online.
Commvault has disclosed a critical vulnerability (CVE-2025-34028) in its Command Center Innovation Release (versions 11.38.0–11.38.19) that allows unauthenticated remote code execution via a server-side request forgery (SSRF) flaw.
Researchers have uncovered a new scam targeting Android users that combines phishing texts, voice-based social engineering, and a novel malware called SuperCard X, which abuses NFC technology to perform fraudulent cash-outs by tricking victims into tapping their payment cards on infected phones.
ASUS has disclosed a critical vulnerability (CVE-2025-2492) in certain router firmware versions with AiCloud enabled that could allow remote attackers to execute unauthorized functions, urging users to update affected firmware branches and strengthen password practices.
CISA and cybersecurity experts are warning of active exploitation of a critical vulnerability in CrushFTP, a widely used file transfer tool, after attackers began targeting unpatched systems.
Cybersecurity experts warn how Moroccan cybercrime group Atlas Lion has been targeting major retailers by stealthily enrolling their own virtual machines into company cloud domains using stolen credentials – thus blending in with legitimate infrastructure to issue fraudulent gift cards while staying hidden in plain sight.
Data breaches affecting millions of Americans have been reported across the healthcare sector, with the largest involving Blue Shield of California, which disclosed that a misconfigured Google Analytics setup exposed protected health information of 4.7 million members to Google Ads between 2021 and 2024.
Dialysis provider DaVita is reviewing data leaked by the Interlock ransomware gang, which claims to have stolen 1.5 terabytes of patient information, following a cyber attack that encrypted parts of the company’s network and disrupted some operations.
Industrial tech giant Sensata Technologies confirmed a ransomware attack that disrupted manufacturing, shipping, and other operations across its global network, forcing systems offline and prompting an SEC disclosure.
British retailer Marks and Spencer confirmed it is managing a cyber incident that led to temporary changes in store operations and delays in services like Click and Collect, while investigations with external cybersecurity experts are ongoing. The company has since paused all online shopping, sent home hundreds of agency warehouse workers, and is working to restore full digital operations amid a share price drop and continued customer service disruptions.
Microsoft has patched a zero-day vulnerability in the Windows CLFS driver that was exploited in ransomware attacks targeting U.S. real estate firms and organizations in Spain, Saudi Arabia, and Venezuela. The flaw, CVE-2025-29824, allowed attackers to escalate privileges post-compromise using PipeMagic malware, enabling widespread ransomware deployment.
Cyberwar between Russia and Ukraine: Updates
Researchers warn that Russia-affiliated hackers are targeting NGOs focused on Ukrainian human rights by posing as European officials and using fake video call invites, stealing Microsoft 365 access via OAuth codes.
Cybersecurity Justice
The European Commission has unveiled ProtectEU, a sweeping internal security strategy that includes plans to give Europol FBI-like powers and explore controversial ways to grant law enforcement lawful access to encrypted data. While lacking detailed proposals, the strategy signals a shift toward deeper cooperation, intelligence sharing, and a more centralized EU response to evolving hybrid threats, cybercrime, and terrorism.
The United States will join 21 other nations in signing the Pall Mall pact, a voluntary agreement aimed at curbing abuses of commercial spyware and regulating the global market for cyber intrusion technologies.
A Vermont federal court is handling charges against an individual accused of operating the SmokeLoader malware, allegedly used to steal personal data and credentials from over 65,000 victims worldwide through a global infostealer scheme.
Scattered Spider cybercrime group member has pleaded guilty to wire fraud and identity theft charges tied to a multimillion-dollar SIM swap scheme that targeted cryptocurrency wallets and corporate data across the U.S.
A Russian man has been sentenced to two years in a penal colony and fined for a paid DDoS attack targeting a company within Russia’s critical infrastructure.
Airport retailer Paradies Shops has agreed to a $6.9 million settlement to resolve claims related to a 2020 ransomware attack that exposed the personal data of 76,000 current and former employees, including names and Social Security numbers.
British law firm DPP Law has been fined £60,000 after hackers accessed its network through an unprotected admin account, stole over 32GB of highly sensitive client data, and leaked it on the dark web – an incident the firm only learned about after being alerted by the National Crime Agency.
FinTech Updates
The U.S. Office of the Comptroller of the Currency has disclosed a major cyber incident involving the breach of senior officials’ email accounts, exposing highly sensitive data tied to federally regulated financial institutions. Hackers accessed over 150,000 emails dating back to June 2023, prompting an ongoing investigation and urgent security reforms within the agency.
Japan’s Financial Services Agency has warned of a surge in unauthorized trades totaling over $650 million, linked to hacked brokerage accounts compromised through phishing sites impersonating legitimate securities firms.
Multiple North Korea-linked hacking groups stole approximately $137 million in a single-day phishing attack targeting TRON blockchain users, part of a broader financially motivated campaign aimed at Web3 and cryptocurrency sectors to fund the country’s strategic programs, according to Mandiant.
Cybersecurity News Across The Globe
- Spain and Portugal experienced a widespread power outage, disrupting airports, hospitals, and telecommunications across both countries, with reports citing issues in the European electric grid. The blackout, which also affected parts of France, Andorra, and Belgium, is under investigation by grid operators, with some restoration underway and Red Eléctrica describing it as an “exceptional and completely extraordinary” event. The incident coincided with a cyber attack on Nova Scotia Power in Canada, which forced the energy provider to take some servers offline, though it reported no disruption to electricity delivery.
- A Chinese state-owned firm previously sanctioned by the U.S. for its role in Uyghur rights abuses is now training police in Tibet on hacking and digital forensics, according to a watchdog report detailing a $1.32 million contract awarded to Meiya Pico for building two cyber labs at the Tibet Police College.
- South African telecom provider Cell C has confirmed that hackers leaked customer data on the dark web (supposedly amounting to 2TB), while MTN Group, the continent’s largest mobile operator, also reported a recent cyber incident involving unauthorized access to customer information in several markets.
Want to find out more about:
- How to Find the Best Penetration Testing Provider
- Why Software Companies Need Penetration Testing
- Aligning Cybersecurity and Business Strategy – A Road to Success
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
