Weekly One-Shot: April 27 – May 3, 2025

This week's threats and trends.

Author

J.W. Croley
May 03, 2025

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

This week’s cybersecurity landscape was marked by critical vulnerabilities, advanced phishing tactics, and sophisticated malware campaigns. Below is a curated summary of the top threats and trends to keep you informed and prepared.

Cybersecurity never sleeps—and just like a good thriller, the moment you get comfortable, something new pops out of the shadows. This week didn’t disappoint. From critical zero-days to AI-powered phishing kits and some seriously bold nation-state activity, the digital battleground was full of surprises.

But don’t stress—we’ve decoded the chaos and lined up the week’s biggest threats so you can stay sharp, stay informed, and stay ahead of the next twist.

Buckle up, and let’s break down the week in cybersecurity.

🔎 This Week in Cybersecurity

1. Commvault Zero-Day Exploited in Azure Breach (CVE-2025-3928)
A zero-day in Commvault’s web server enabled a compromise of Microsoft Azure systems. Although no customer backups were accessed, the attack raises concerns about lateral movement and trust in third-party platforms.
May 1 Newsletter

2. Darcula Phishing Kit Adds Generative AI Capabilities
The Darcula phishing-as-a-service kit now integrates generative AI to auto-create convincing phishing pages and smishing lures. The result? More believable attacks that adapt in real-time.
April 29 Newsletter

3. Fake WordPress Security Plugin Grants Admin Access
A fake plugin posing as a WordPress security tool is giving threat actors admin-level access to infected websites. Once installed, attackers can steal data, deface pages, or plant malware.
May 1 Newsletter

4. North Korean Hackers Spread Malware via Fake Crypto Firms
North Korea-linked threat actors are using fake blockchain consulting companies to lure tech workers into malware traps—posing as employers and delivering malicious files during the “interview process.”
April 29 Newsletter

5. DarkWatchman Malware Targets Russian Networks
The DarkWatchman remote access trojan has resurfaced in phishing attacks targeting Russian energy, telecom, and industrial companies, as part of an ongoing financially motivated campaign.
May 1 Newsletter

6. Sheriff Backdoor Targets Ukrainian Defense Sector
A newly discovered backdoor named “Sheriff” is being used in phishing campaigns targeting Ukraine’s military and defense networks. The malware establishes persistence and steals sensitive system data.
May 1 Newsletter

7. Fake WordPress Security Advisory Used to Deploy Malware
Threat actors are impersonating WordPress support teams and sending fake advisories encouraging admins to install a malicious "security plugin." Spoiler alert: it's a backdoor.
May 1 Newsletter

8. Darcula Evolves into AI-Powered Smishing Platform
The Darcula phishing kit isn’t just living in emails anymore—it now pushes AI-generated SMS lures directly to mobile users, evading traditional email filters entirely.
April 29 Newsletter

9. Romance Scams and Investment Fraud Tied to North Korean Cybercrime
A campaign using fake romantic relationships and investment schemes has stolen billions from victims, with suspected ties to North Korea’s cybercrime apparatus.
May 1 Newsletter

10. North Korean Cyber Spies Infiltrate Global Job Market
Fake personas posing as remote developers are securing jobs in Western tech companies to funnel code, data, and access back to North Korean entities.
April 29 Newsletter

🔥 Biggest Threat This Week

Critical SAP NetWeaver Vulnerability Under Active Exploitation (CVE-2025-31324)

A critical vulnerability in SAP NetWeaver Visual Composer is being actively exploited, allowing unauthenticated attackers to upload arbitrary files and achieve remote code execution. Over 1,200 internet-exposed instances are vulnerable, with 474 servers already compromised.

  • Risk Level: Critical

  • Action Steps:

    • Apply SAP's security update immediately.

    • Restrict access to the "/developmentserver/metadatauploader" path.

    • Disable Visual Composer if unused.

    • Monitor logs for suspicious file upload activities.

    • Conduct a thorough investigation if a compromise is suspected.

  • Source: April 29 Newsletter

Training Recommendation

Hack The Box – Enterprise Web Application Exploitation
This SAP NetWeaver flaw reminds us that web app exposures aren’t just for front-end frameworks. Whether you're defending against file uploads, insecure plugins, or session hijacks, HTB’s Web App Exploitation module offers the hands-on training you need to understand—and outsmart—real-world attackers.

Sign up here to get started: Web Application Exploitation Training

Wrapping Up:

Between fake plugins, AI-assisted phishing kits, and North Korean front companies, cybercriminals are refining their playbook. This week is a reminder that everything—from developer tools to job interviews—can be a potential attack vector. Don’t just harden your perimeter. Harden your people.

(P.S. Supporting our partners helps keep this newsletter running!)