Weekly One-Shot: May 18 – May 24, 2025

This week's threats and trends.

Author

J.W. Croley
May 24, 2025

In partnership with

Start learning AI in 2025

Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.

It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Cybersecurity never sleeps—and just like a good thriller, the moment you get comfortable, something new pops out of the shadows. This week didn’t disappoint. From zero-days in everyday apps to botnets hiding in digital signage and ransomware creeping in through your ERP software, attackers reminded us just how creative and relentless they can be.

But don’t stress—we’ve decoded the chaos and lined up the week’s biggest threats so you can stay sharp, stay informed, and stay ahead of the next twist.

Let’s break down this weeks events:

This week in Cybersecurity

1. Critical Windows Server 2025 dMSA Vulnerability (CVE-2025-1337)
A privilege escalation flaw in Windows Server 2025’s dMSA feature allows domain-wide compromise. Minimal permissions needed, few logs left behind—this one’s a domain controller’s worst nightmare.
May 22 Newsletter

2. Nucor Steel Cyberattack Disrupts Manufacturing Across North America
A cyberattack against Nucor disrupted production at multiple facilities, likely ransomware. As North America's largest steelmaker, this could ripple through supply chains.
May 22 Newsletter

3. Procolored Infected Installer Distributed for 3 Months
Malware was bundled with Procolored’s legitimate printer drivers, digitally signed and hosted on the official site. Information-stealing malware was delivered to thousands.
May 22 Newsletter

4. Insider Agents at Coinbase Leaked Data, Enabled Fraud
Cybercriminals bribed third-party support agents to leak data on ~1% of Coinbase users. Attempted theft totaled over $20M, and highlights the human side of risk.
May 22 Newsletter

5. RVTools Website Hacked – Bumblebee Malware Delivered
A trusted VMware utility was hijacked to distribute the Bumblebee loader malware. Trojanized versions remained on the vendor site for at least two weeks.
May 19 Newsletter

6. Fake KeePass Leads to ESXi Ransomware
A cloned KeePass site tricked users into installing a compromised password manager. End result: stolen credentials, lateral movement, and ransomware on ESXi.
May 19 Newsletter

7. Pwn2Own Berlin Pays $1M+ for 28 New Zero-Days
Researchers successfully exploited hypervisors, browsers, servers, and AI systems at Pwn2Own Berlin, revealing how wide open many of our “secure” environments are.
May 19 Newsletter

8. Printer Drivers Used to Distribute Stealthy Credential Stealer
Infected Procolored installers delivered malware undetected for months. Digitally signed binaries increased user trust—and exposure.
May 22 Newsletter

9. Operation RapTor: 270 Dark Web Vendors Arrested
A multi-nation takedown operation saw law enforcement seize $40M+ in crypto and arrest 270 suspects involved in malware and credential trafficking.
May 22 Newsletter

10. Dark Web Market Seizures Highlight Stolen Credential Risks
The RapTor arrests also spotlighted continued risks from credentials sold on marketplaces. Update your monitoring strategy accordingly.
May 22 Newsletter

Biggest Threat This Week

Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks (CVE-2025-0944)
A Chinese-speaking APT group, tracked as UAT-6382, has been exploiting a remote-code execution vulnerability in Trimble Cityworks—a platform used by local, state, and federal agencies for infrastructure management. CVE-2025-0944 was actively leveraged to drop malware, establish persistence, and exfiltrate sensitive data. This isn’t just a theoretical vulnerability—it’s an active threat targeting critical government systems.

  • Risk Level: Critical

  • MITRE Tactics: Initial Access, Persistence, Exfiltration

  • Action Steps:

    • Patch all Cityworks instances immediately

    • Segment and monitor any infrastructure linked to Cityworks

    • Hunt for indicators of compromise and lateral movement

    • Enable anomaly detection on sensitive data flows
      May 22 Newsletter

Training Recommendation

Know Your Weak Points: Vulnerability Assessment Training

With telecom networks in the crosshairs, identifying weak points has never been more crucial. Hack The Box Academy’s Vulnerability Assessment Training is designed to help you find and fix those hidden vulnerabilities before attackers do. Dive deep into vulnerability scanning, assessment techniques, and methodologies tailored for modern threats—perfect for understanding and mitigating risks like those posed by Salt Typhoon.

Sign up here to get started: Vulnerability Assessment Training

Wrapping Up:

From state-sponsored exploits and Active Directory zero-days to supply chain subversion and insider-driven crypto fraud, this week had it all. The message is clear: tighten identity controls, scrutinize your software sources, and assume every update could be a Trojan horse until proven otherwise.

Stay paranoid—professionally,

(P.S. Supporting our partners helps keep this newsletter running!)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

  • Get daily AI news, tools, and tutorials

  • Learn new AI skills you can use at work in 3 mins a day

  • Become 10X more productive