Originally reported by The Hacker News, SANS ISC
TL;DR
Multiple ransomware groups are actively using bring-your-own-vulnerable-driver techniques to disable security tools, while North Korean threat actors executed a sophisticated six-month social engineering operation culminating in a $285 million cryptocurrency theft.
Active ransomware campaigns using sophisticated EDR bypass techniques combined with a major DPRK-attributed cryptocurrency theft represent significant ongoing threats to enterprise security infrastructure.
Multiple threat intelligence firms have documented sophisticated evasion techniques employed by prominent ransomware groups, highlighting the ongoing arms race between attackers and security vendors.
Cisco Talos and Trend Micro researchers have identified Qilin and Warlock ransomware operators leveraging bring-your-own-vulnerable-driver (BYOVD) techniques to disable over 300 endpoint detection and response (EDR) tools. The attacks deploy a malicious DLL named "msimg32.dll" as part of the evasion strategy.
The BYOVD technique allows threat actors to abuse legitimate but vulnerable signed drivers to gain kernel-level privileges, effectively neutralizing security software before deploying ransomware payloads. This approach represents a significant evolution in ransomware tactics, as it directly targets the defensive tools organizations rely on for threat detection and response.
Germany's Federal Criminal Police Office (BKA) has unmasked the real identities of two key figures from the defunct REvil (Sodinokibi) ransomware-as-a-service operation. One threat actor, operating under the alias "UNKN," served as a group representative and advertised the ransomware on the XSS cybercrime forum in June 2019.
The identification connects these individuals to 130 ransomware attacks against German targets, providing law enforcement with concrete attribution for a significant portion of REvil's operations in the region.
Drift, a Solana-based decentralized exchange, has disclosed that the April 1, 2026 attack resulting in $285 million in stolen cryptocurrency was the culmination of a six-month targeted social engineering operation attributed to North Korean threat actors. The campaign began in fall 2025 and demonstrates the DPRK's continued focus on cryptocurrency theft to circumvent international sanctions.
The extended timeline suggests a highly sophisticated operation involving extensive reconnaissance and relationship building with Drift personnel, marking another evolution in state-sponsored cryptocurrency targeting.
SANS Internet Storm Center researchers have published analysis examining the prevalence of open redirect abuse in current phishing campaigns. The research builds on previous findings about threat actors actively seeking vulnerable redirect mechanisms to obscure malicious destinations and evade detection systems.
The analysis provides insights into how attackers are adapting their infrastructure tactics to maintain effectiveness against improved email security filters and user awareness programs.
Originally reported by The Hacker News, SANS ISC
