Weekly One-Shot: March 24 – March 30, 2025

This week's threats and trends.

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

Cybercriminals escalated their game this week—weaponizing drivers, exploiting zero-days, and infiltrating developer tools. Staying ahead requires constant vigilance, proactive patching, and deeper knowledge of adversary tactics.

So grab your coffee (or maybe your incident response plan), and let's unpack the threats that matter most:

This week in Cybersecurity

1. Google Patches Critical Chrome Zero-Day Exploited in Wild (CVE-2025-2783)
Google issued an urgent patch for a Chrome zero-day actively exploited to execute arbitrary code.
March 27 Newsletter

2. UAT-5918 Targets Taiwan’s Critical Infrastructure
Espionage actor UAT-5918 attacked Taiwan's energy and transport sectors with persistent malware.
March 25 Newsletter

3. Critical Next.js Vulnerability Enables Unauthorized Access (CVE-2025-29927)
A severe Next.js vulnerability allows attackers to bypass middleware, accessing protected API endpoints.
March 25 Newsletter

4. Raspberry Robin Worm Linked to Over 200 C2 Domains
Researchers found over 200 C2 domains tied to the Raspberry Robin worm, revealing extensive propagation capabilities.
March 27 Newsletter

5. Atlantis AIO Credential-Stuffing Tool Targets 140+ Platforms
Cybercriminals leverage Atlantis AIO to automate credential stuffing attacks on numerous popular platforms.
March 27 Newsletter

6. Malicious NPM Package Alters Git Repos to Inject Reverse Shells
A malicious NPM package compromises developer machines by injecting reverse-shell payloads into local Git repositories.
March 27 Newsletter

7. Cross-Platform .NET MAUI Malware Targets Indian Users
Attackers distribute malicious Android apps using .NET MAUI, targeting Indian users' financial data.
March 25 Newsletter

8. Critical Ingress-NGINX Vulnerability Impacts Kubernetes Clusters
Ingress-NGINX flaw potentially allows attackers unauthorized access to Kubernetes cluster services.
March 25 Newsletter

9. Two Malicious Extensions Removed from VSCode Marketplace
Malicious VSCode extensions were discovered stealing SSH keys and environment variables, compromising developers.
March 25 Newsletter

10. GitHub Warns of Critical Ruby-SAML Library Vulnerability
GitHub identified a critical Ruby-SAML flaw allowing attackers to bypass SSO authentication mechanisms.
March 13 Newsletter

🔥 Biggest Threat This Week

Medusa Ransomware Deploys Malicious Kernel-Mode Driver for Evasion

The Medusa ransomware group significantly elevated their threat profile by deploying a malicious kernel-mode driver named Abyssworker, signed with a stolen digital certificate. This advanced tactic allows the attackers to disable endpoint security tools, escalate privileges, and maintain deep, persistent control of compromised systems. The move marks a dangerous shift in ransomware attacks, emphasizing the critical importance of safeguarding kernel-level access and continuously auditing driver integrity to prevent devastating breaches.

  • Risk Level: Critical

  • MITRE Tactics: Defense Evasion, Persistence, Privilege Escalation

  • Action Steps: Strengthen policies around digitally signed drivers, regularly update endpoint detection tools, and monitor kernel-level activity for anomalies.
    March 25 Newsletter

🛠️ Training Recommendation

Hack The Box - Advanced Windows Exploitation

As attackers like Medusa increasingly exploit advanced Windows internals—such as kernel-level vulnerabilities and signed malicious drivers—security teams need a deeper understanding of Windows exploitation techniques. This hands-on training provides crucial insights into identifying vulnerabilities, defending against sophisticated privilege escalation, and developing proactive strategies to fortify organizational defenses against advanced ransomware and persistent threats.

👉 Sign up here!

Wrapping Up:

Attackers constantly push boundaries, finding innovative methods like kernel-level exploits and software supply-chain infiltration. This week highlighted the urgency of not just patching promptly, but also continuously training your team on advanced adversary techniques. Stay vigilant—it's a digital jungle out there.

(P.S. Supporting our partners helps keep this newsletter running!)

Daily News for Curious Minds

Be the smartest person in the room by reading 1440! Dive into 1440, where 4 million Americans find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight. Subscribe to 1440 today.