GrayscaleInsight GrayscaleInsight

Copy Fail Exploitation, Ransomware Surge, and Phishing Campaigns Dominate Threat

Events tracked
125
Critical exposure
55

Summary

Today's threat landscape is defined by a convergence of high-volume data breach claims and active exploitation of a critical Linux vulnerability. The 55 critical data exposure events signal a broad, opportunistic targeting of financial services, government, and gaming sectors, with notable claims against the U.S. Navy and Robinhood. Defenders should prioritize patching the "Copy Fail" Linux bug, which is now under active exploitation, and remain vigilant against a sophisticated phishing campaign leveraging legitimate RMM tools that has already impacted over 80 organizations.

Today's developments

The day's most significant operational threat is the active exploitation of the "Copy Fail" Linux vulnerability, which industry researchers confirm affects mainstream Linux distributions built since 2017. CISA has added the bug to its Known Exploited Vulnerabilities catalog, and Microsoft has observed limited exploitation, primarily associated with proof-of-concept testing. This vulnerability, which some researchers criticized for its AI-generated disclosure, represents a systemic risk to enterprise Linux environments.

A large-scale phishing campaign, tracked as VENOMOUS#HELPER, has been observed targeting over 80 organizations, predominantly in the United States, since at least April 2025. The campaign uses legitimate Remote Monitoring and Management (RMM) tools -- SimpleHelp and ScreenConnect -- to establish persistent remote access on compromised hosts. Separately, Microsoft Defender Research detailed a multi-stage "code of conduct" themed phishing campaign that leads to adversary-in-the-middle (AiTM) token compromise, using legitimate email services to distribute authenticated messages from attacker-controlled domains.

The ransomware front saw a claim against a pro-Orbán Hungarian media firm, Mediaworks, which confirmed the incident and warned that a significant amount of data may have been compromised. In the defense sector, the Infrastructure Destruction Squad claims to have breached Rheinmetall, the German defense contractor. Other notable alleged breaches include:

  • U.S. Navy -- claimed by Handala Hack, targeting U.S. government administration.
  • Robinhood -- claimed by Lazarus, targeting U.S. financial services.
  • Rheinmetall -- claimed by Infrastructure Destruction Squad, targeting German defense and space.
  • Punjab National Bank -- claimed by Neffex The BlackHat, targeting Indian banking.
  • Government of Pakistan -- claimed by shalimaar13, targeting government administration.
  • Multiple French Sports Federations -- claimed by selluk, targeting French sports organizations.
  • Malakoff Humanis -- claimed by selluk, targeting French insurance.
  • Trustpilot -- claimed by MDGhost, targeting Danish IT services.
  • Crocs -- claimed by campfire, targeting Israeli retail.
  • WhatsApp -- claimed by x0ghost, targeting global social media.

Several financial institutions were also targeted, including Ipoteka Bank (Uzbekistan), OCBC Malaysia, Bank Sinarmas (Indonesia), OVO (Indonesia), and Banco de Machala (Ecuador). The gaming sector saw claims against Roblox and Dunia Games, both attributed to Mr.ZeroPhx100.

In industry news, Cisco announced its intent to acquire Astrix Security to address non-human identity risks, while Trellix confirmed a source code repository breach that, according to the firm, has not impacted its release or distribution process. Progress Software has released patches for a critical MOVEit Automation authentication bypass vulnerability.

Threat landscape signals

The data reveals a significant concentration of activity by a small number of actors. BABAYO EROR SYSTEM leads with nine events, while Mr.ZeroPhx100, NoName057(16), Order403, and magelang6etar each account for five. This clustering suggests coordinated or automated campaigns rather than isolated incidents. The United States (15 events) and Indonesia (14 events) are the most targeted countries, with France (12), Israel (9), and Venezuela (5) also heavily affected.

The financial services and banking sectors remain the most targeted verticals, with 10 alleged breaches or leaks across institutions in the U.S., Uzbekistan, Malaysia, Indonesia, India, and Ecuador. Government administration targets in the U.S., Pakistan, and Mexico indicate sustained interest from hacktivist and financially motivated actors. The appearance of defense sector targets (U.S. Navy, Rheinmetall, IRGC) alongside gaming and e-commerce victims suggests a broad, opportunistic threat landscape where no sector is immune. The mix of ransomware, data breach, and leak claims indicates that extortion remains the primary monetization strategy, with initial access brokers likely feeding the pipeline.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions
5 May
Cinzz Initial-Access Surge Meets Karakurt Conviction
143 ev 38 crit
3 May
FreeCity Data Dump Spree Targets Malaysia, Vietnam, UK; Linux Zero-Day Exploited
180 ev 85 crit
2 May
Trellix Source Code Hit; Microsoft and Orange Forum Claims
212 ev 53 crit