Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.
The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.
"The threat actor leveraged combinations of

Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments

Former Hunters International ransomware gang, now World Leaks, claims 1.3 TB Dell data breach, leaking over 400K files with internal tools and user data.

World Leaks, the rebranded version of the Hunters International ransomware gang, has leaked 1.3 TB of internal data, which the group claims belongs to Dell Technologies Inc., the American multinational tech giant.

The announcement was made earlier today, Monday, July 21, 2025, on the group’s official dark web leak site. According to information reviewed by Hackread.com, the leak contains 416,103 files, all publicly available for download. Many of these files directly reference Dell Technologies and appear consistent with internal corporate data.

World Leaks’ claims on its dark web leak site (Image credit: Hackread.com)

****Analysis of the File List****

A closer look at the leaked file list shows what appears to be internal data from across Dell Technologies’ global network. The files come from various regional systems, including the Americas, Europe, and Asia-Pacific, and cover everything from employee folders and software tools to infrastructure scripts and backup data.

Many of the files mention Dell Technologies and its products, such as PowerPath, PowerStore, and firmware for Dell-branded hardware. There are also references to VMware tools, automation scripts written in Terraform, and files linked to system monitoring and internal testing.

Some paths point to browser profiles, log files, and software packages used in development or support environments. What stands out is how often Dell’s name and tools appear throughout the directories, along with structured naming that suggests the data is pulled from real corporate systems. All of this supports the group’s claim that the files are indeed from inside Dell’s infrastructure.

Screenshot from the file list published by World Leak (Image credit: Hackread.com)

It’s also worth noting that World Leaks has not disclosed when the breach of Dell Technologies occurred, how it was carried out, or how the company responded to it.

****Dell’s Statement****

In a statement to Hackread.com, Dell confirmed that a threat actor accessed its internal “Solution Center,” an environment used for product demos and testing. The company emphasised that this system is isolated from customer and partner networks and is not part of its service infrastructure.

According to Dell, the data obtained was primarily synthetic, publicly available, or related to internal scripts and testing outputs. While Dell did not use the term “breach,” its response indicates that unauthorised access did occur. The company says its investigation is ongoing.

****Who Is World Leaks and How Is It Connected to the Hunters International Ransomware Group?****

As Hackread.com reported in early July 2025, World Leaks is the new name adopted by the group formerly known as Hunters International. The gang has changed its approach, now focusing solely on data theft and extortion rather than deploying ransomware. Their approach focuses on stealing sensitive data and threatening to leak it unless they are paid by their victims.

This approach is completely different from how Hunters International operated, where file encryption was used alongside extortion. World Leaks has dropped the encryption part entirely and is now gambling everything on the pressure that comes from the threat of public exposure.

The change could be a strategic one, especially with law enforcement agencies becoming more aggressive and ransomware profits facing more obstacles. By cutting out the encryption step, they reduce the chances of getting caught while still profiting from the stolen data.

World Leaks now uses a custom exfiltration tool to automatically extract large volumes of data from compromised networks. This tool seems to be a more advanced version of the data theft software previously used by affiliates of the original Hunters International group.

****Dell and Cybersecurity Incidents: Nothing New****

A company as large as Dell is always an attractive target for cybercriminals, and this isn’t the first time hackers have claimed to breach its systems. On May 9, 2024, a hacker using the alias “Menelik” claimed to be selling data from 49 million Dell customer accounts.

The following day, on May 10, Dell confirmed the breach but downplayed its severity, stating that the compromised data posed “no significant risk.” The exposed information included full names, physical addresses, Dell hardware and order details, service tags, item descriptions, order dates, warranty information, and more.

In September 2024, a hacker using the alias “grep” announced three separate data breaches involving Dell. One of the breaches reportedly exposed data belonging to more than 10,000 Dell employees.

World Leaks Claims Dell Data Breach, Leaks 1.3 TB of Files

In a recent intrusion, the notorious cybercriminal collective accessed CyberArk vaults and obtained more 1,400 secrets, subverted Azure, VMware, and Snowflake environments, and for the first known time, actively fought back against incident response teams.

Scattered Spider Taps CFO Credentials in 'Scorched Earth' Attack

Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.

Thursday, May 22, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton. 

It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork. 

What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all? 

Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an actual complaint that a Conti member made about a fellow actor not showing up). 

In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They're opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands? 

Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.  

Oof, I didn’t mean to knock freelancers there. Just, you know, _those_ ones… 

History suggests fallouts are inevitable. Conti's collapse, as Wired reported, started with a single angry post and spiraled into a full on leak about poor performance records: 

> _“I have 100 people here, half of them, even 10 percent, do not do what they need.”_  

> _\- Stern (or Demon), former Conti CEO_ 

LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer. 

To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?

**The one big thing **

In Talos’ most recent blog post, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control. 

**Why do I care? **

UAT-6382 is not only exploiting this vulnerability, but they're also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime. 

**So now what? **

While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.

**Top security headlines of the week **

**NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch**   
VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available.  (SecurityWeek) 

**NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited**   
The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (Dark Reading) 

**Kettering Health hit by system-wide outage after ransomware attack**   
Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (BleepingComputer)

**Can’t get enough Talos? **

*   Duping Cloud Functions: An emerging serverless attack vector 
*   Talos Takes: Inside the Kill Chain: Compartmentalized Threat Modeling Explained 

**Upcoming events where you can find Talos **

*   BotConf (May 20 – 23) Angers, France  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (August 2 - 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details    
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Ghosted by a cybercriminal

An employee inadvertently downloaded a malicious version of the legitimate RVTools utility, which launched an investigation into an attempted supply chain attack aimed at delivering the recently revived initial-access loader.

Bumblebee Malware Takes Flight via Trojanized VMware Utility

RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads.

A widely used tool for managing VMware systems, RVTools, was recently found delivering harmful software to users. A security researcher, Aidan Leon, sounded the alarm in a blog post on ZeroDayLabs after discovering a compromised installer for RVTools on its official website.

The issue came to light on Thursday, May 15, 2025, when Leon’s security team detected a suspicious file, version.dll, attempting to run from an RVTools installer. This happened during an employee’s attempt to install the utility.

Reportedly, the infected version was first uploaded on Monday, May 12, 2025, suggesting the website was compromised between 8 AM and 11 AM that day. The official website later went offline and then reappeared with a clean version of the download. However, by Friday, May 16, 2025, the site was offline again without explanation.

Microsoft Defender for Endpoint quickly flagged the activity. Further investigation confirmed that the malicious installer originated from the official RVTools website, Robware.net. Also, Leon found that the infected RVTools installer was noticeably larger than its legitimate counterpart. It also contained a file hash that did not match the clean version listed on the official site. 

The file’s analysis on VirusTotal, a service that checks for malicious content, confirmed the severity: 33 out of 71 antivirus engines identified it as a variant of the Bumblebee malware loader– a malware known for its role in gaining initial access for cybercriminals, often paving the way for ransomware or advanced attack frameworks.

The malicious file even featured unusual and deliberately confusing details in its metadata, such as “Hydrarthrus” as the original filename and strange descriptions like “elephanta ungroupable clyfaker gutturalness” for the product. These cryptic terms, as noted in a ZeroDay Labs Report, were used as a distraction from the file’s true harmful purpose.

Within an hour of the malicious file being submitted to VirusTotal, public detections of it surged. This coincided with the RVTools website temporarily going offline. When the site returned, the downloaded file had changed, now being smaller and matching the official, safe file hash. This swift change strongly suggested a brief but targeted compromise of the software’s distribution channel.

The security concerns don’t end with the official website. A warning on the legitimate RVTools site advises against downloading the software from other sources. This advice is critical, as a simple online search for “RVTools download” currently shows a lookalike website, rvtoolsorg, as the top result. This fake site, which claims to be official, also offers a malicious RVTools installer.

The incident shows the need for caution when downloading software, even from legitimate sources. Organizations installing RVTools should verify the installer’s integrity by checking file hashes and detecting unusual activity, especially the execution of “version.dll” from user directories.

Compromised RVTools Installer Spreading Bumblebee Malware

The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility.
"Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website.
"Robware.net and RVTools.com are the only authorized and supported websites for

RVTools Official Site Hacked to Deliver Bumblebee Malware via Trojanized Installer

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with…

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with notable achievements in cybersecurity research. A total of $695,000 has been awarded for 39 unique **zero-day vulnerabilities**, with the final day scheduled for Saturday, May 17.

****Day One: Major Exploits and AI Category Debut****

On May 15, the competition commenced with 11 exploit attempts, including the first-ever AI category. Researchers earned $260,000 for successful demonstrations across various platforms.

****Key Highlights:****

*   **Windows 11:** Chen Le Qi of STAR Labs SG combined a use-after-free and integer overflow to escalate privileges to SYSTEM, earning $30,000 and 3 Master of Pwn points.

*   **Red Hat Linux**: Pumpkin from the DEVCORE Research Team exploited an integer overflow for privilege escalation, securing $20,000 and 2 points.

*   **Oracle VirtualBox:** Team Prison Break achieved a virtual machine escape via an integer overflow, receiving $40,000 and 4 points.

*   **Docker Desktop:** Billy and Ramdhan of STAR Labs demonstrated a container escape using a Linux kernel vulnerability, earning $60,000 and 6 points.

*   **AI Category:** Sina Kheirkhah of Summoning Team exploited the Chroma AI application database, marking the first success in this category and earning $20,000 and 2 points.

Additional awards were given for other successful exploits, including a type confusion bug in Windows 11 by Hyeonjin Choi of Out Of Bounds, who earned $15,000 and 3 points.

****Day Two: Continued Success and High-Value Exploits****

The second day, May 16, saw researchers uncovering 20 unique zero-day vulnerabilities, resulting in $435,000 in awards.

*   **Microsoft SharePoint:** Dinh Ho Anh Khoa of Viettel Cyber Security combined an authentication bypass and insecure deserialization to exploit SharePoint, earning $100,000 and 10 points.

*   **VMware ESXi:** Synacktiv demonstrated a successful exploit, securing $80,000 and 8 points.

*   **NVIDIA Triton Inference Server:** Mohand Acherir and Patrick Ventuzelo of FuzzingLabs earned $15,000 and 1.5 points for their exploit, which was a known but unpatched vulnerability.

Other successful exploits included attacks on Firefox, Redis, and additional AI systems.  
SecurityWeek

> Wrapping up Day Two of #Pwn2Own Berlin 2025. We’ve awarded $695,000 for 20 unique 0-days, with one more day to go! pic.twitter.com/x2oBfaSfKS
> 
> — Trend Zero Day Initiative (@thezdi) May 16, 2025

****Day Three: Anticipated Final Challenges****

The final day, Saturday, May 17, is expected to feature remaining scheduled attempts, including further AI category exploits and other high-profile targets. With $695,000 already awarded, the total prize pool is projected to surpass $1,000,000.

****Master of Pwn Standings****

As of the end of Day Two, STAR Labs SG leads the Master of Pwn standings, having demonstrated multiple successful exploits across various categories. The final standings will be determined after the conclusion of Day Three.

Pwn2Own Berlin 2025 has showcased the growing **challenges in cybersecurity**, highlighting the importance of proactive vulnerability research. The introduction of the AI category reflects the growing focus on securing emerging technologies.

_Note: The above information is based on the latest available data from the Pwn2Own Berlin 2025 event. For detailed results and updates, refer to the Zero Day Initiative’s **official blog**._

Pwn2Own Berlin 2025: Windows 11, VMware, Firefox and Others Hacked

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe…

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations.

The recent cyber-attack that significantly disrupted operations at the British retailer Marks & Spencer (M&S) has now been linked to a notorious hacking collective known as Scattered Spider, the same group implicated in the high-profile 2023 attack on MGM Resorts.

As per Hackread.com’s initial report on April 23, 2025, the attack resulted in the shutdown of contactless payment systems, the Click and Collect order service, and delays in online deliveries, causing customer frustrations over the inability to use these crucial services. The report also noted that M&S had paused online orders and that cyber security experts believed the symptoms were consistent with a ransomware attack, where data is encrypted, and a ransom is demanded for its release.

The latest updates reveal astonishing details. Reportedly, hackers’ initial access to M&S’s systems may have occurred much earlier, in February, when they, allegedly, stole the NTDS.dit file from the Windows domain. This file is a crucial database containing all the user accounts and passwords for a Windows network managed by Active Directory Services. Obtaining and cracking this file would have provided the attackers with a list of plain-text passwords, enabling them to move laterally across the M&S network and gain control over more systems.

Following this initial access, investigation reveals that the attackers deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, with the main attack being launched on April 24th. Investigators have now pointed towards Scattered Spider as the responsible group.

The incident has had a significant impact, extending beyond crippling online services. The company has admitted to “pockets of limited availability” in its physical stores, with customers reporting empty shelves nationwide, suggesting disruptions to the supply chain. Moreover, online purchases have been paused, and gift card transactions are still affected.

The financial impact is significant, with around £650 million reportedly wiped off M&S’s stock market valuation and estimated daily losses from the online sales suspension could be around £3.5 million.

The retailer has been tight-lipped about the specifics of the cyber-attack and the timeline for full recovery, stating that taking systems offline was a proactive measure leading to the current shortages and is working to restore normalcy. However, in-store staff anticipate disruptions could last another week.

As per Hackread.com’s assessment of Scattered Spider, it is a unique hacking group that doesn’t operate as a cohesive unit but as a collection of individuals who vary with each attack, making them hard to track. They are known for using advanced social engineering and BlackCat ransomware.

Many members are believed to be native English speakers from Western Europe and the USA. Although some members were arrested in the USA and UK, Scattered Spider remains active and dangerous, as shown by their alleged involvement in the M&S cyber-attack, highlighting their continued ability to disrupt major organizations.

Scattered Spider Suspected in Major M&S Cyberattack

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text. 🤷‍♂️🙂 🗞 Post on Habr (rus)🗒 Digest on the PT website (rus) A total of 11 trending vulnerabilities: 🔻 Elevation of Privilege – Windows Cloud Files […]

**April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat.** We decided to pause recording new videos, so for now only text. 🤷‍♂️🙂

🗞 Post on Habr (rus)  
🗒 Digest on the PT website (rus)

A total of 11 trending vulnerabilities:

🔻 **Elevation of Privilege** – Windows Cloud Files Mini Filter Driver (CVE-2024-30085)  
🔻 **Spoofing** – Windows File Explorer (CVE-2025-24071)  
🔻 Four Windows vulnerabilities from March Microsoft Patch Tuesday were exploited in the wild (CVE-2025-24985, CVE-2025-24993, CVE-2025-26633, CVE-2025-24983)  
🔻 Three VMware “ESXicape” Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)  
🔻 **Remote Code Execution** – Apache Tomcat (CVE-2025-24813)  
🔻 **Remote Code Execution** – Kubernetes (CVE-2025-1974)

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Tag

#vmware