Lizzie Clark

April 7th – This Week’s Top Cybersecurity and Dark Web Stories

This week’s cybersecurity and dark web news stories discuss the Axios NPM Package targeted in supply chain attack, Storm-1175 exploiting fast moving zero-days, and REvil ransomware leader unmasking.

Millions of Developers at Risk in Major Supply Chain Attack

Google’s Threat Intelligence Group has uncovered a brazen software supply chain attack targeting Axios, one of the most widely used JavaScript libraries on the internet. Between March 31 and early hours of April 1, an attacker introduced a malicious dependency named “plain-crypto-js” into Axios NPM releases versions 1.14.1 and 0.30.4 – packages that typically attract over 100 million and 83 million weekly downloads respectively. The malicious package acted as an obfuscated dropper, designed to silently install a backdoor on any developer machine that ran a routine package install.

Google attributes the attack to UNC1069, a financially motivated North Korea-linked threat actor active since at least 2018, based on the use of WAVESHAPER.V2 – an updated version of a backdoor previously linked to the group – as well as overlapping command-and-control infrastructure used in past UNC1069 operations. The attackers gained their foothold by compromising the maintainer account for Axios itself, changing the associated email address to an attacker-controlled account before pushing the tampered versions.

Once installed, the malware deploys platform-specific payloads across Windows, macOS, and Linux. On Windows, it disguises a copied PowerShell executable as a Windows Terminal binary; on macOS, it downloads a native binary to the Apple system caches folder; and on Linux, it installs a Python-based backdoor. After deploying its payload, the dropper attempts to delete itself and restore the original package.json to cover its tracks.

The resulting WAVESHAPER.V2 backdoor functions as a fully capable remote access trojan, able to collect system information, enumerate directories, execute arbitrary scripts, and inject additional payloads – all while beaconing to its command-and-control server every 60 seconds. Google warns that the impact is particularly far-reaching because hundreds of other popular packages rely on Axios as a dependency, potentially exposing entire CI/CD pipelines and cloud environments to compromise.

China-Linked Storm-1175 Exploits Zero-Days

A prolific China-linked hacking group is escalating its attacks on critical sectors, exploiting newly discovered vulnerabilities before organisations even know they exist. Microsoft’s Threat Intelligence team has linked Storm-1175 to high-velocity ransomware operations that have heavily impacted healthcare organisations, as well as those in education, professional services, and finance sectors in Australia, the United Kingdom, and the United States. The group’s defining tactic is speed – compromising targets and deploying ransomware within days, or in some cases within just 24 hours of initial access.

Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities across widely used enterprise products, including Microsoft Exchange, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, and BeyondTrust. Two of these – CVE-2025-10035 and CVE-2026-23760 – are confirmed to have been weaponised as zero-days before they were publicly disclosed. The group rotates between exploits rapidly, focusing on the window between a vulnerability’s public disclosure and when organisations have had time to apply patches.

Once inside a network, Storm-1175 creates new user accounts, deploys web shells or remote monitoring tools for lateral movement, conducts credential theft using tools like Mimikatz and Impacket, and systematically disables security software – including configuring Microsoft Defender exclusions – before dropping Medusa ransomware across the network. The group has also shown a growing interest in Linux environments, with recent incidents involving vulnerable Oracle WebLogic instances.

Microsoft highlighted a particularly concerning trend: the group’s increasing reliance on legitimate remote monitoring and management tools such as AnyDesk, Atera, MeshAgent, and ConnectWise ScreenConnect as dual-use infrastructure. By blending malicious traffic into trusted, encrypted platforms, Storm-1175 is able to reduce the likelihood of detection and maintain persistent access to compromised networks long after initial infiltration. Defenders are urged to prioritise patching internet-facing systems urgently, given the group’s demonstrated ability to exploit vulnerabilities faster than most organisations can respond.

German Police Unmask the Face Behind REvil

After years of anonymity, the man behind two of the most feared ransomware operations in history has finally been identified. Germany’s Federal Criminal Police Office (BKA) has named Daniil Maksimovich Shchukin, a 31-year-old Russian national from Krasnodarskiy, as the mastermind behind both the GandCrab and REvil ransomware operations, which he is alleged to have led between early 2019 and mid-2021. Known for years only by the online handle “UNKN,” Shchukin had been one of cybercrime’s most elusive figures, openly taunting law enforcement while bragging on forums about his wealth.

The BKA said Shchukin was involved in 130 extortion attempts across Germany, including 25 in which victims paid a combined total of over €1.9 million in ransoms. The incidents collectively caused financial damages exceeding €35.4 million. A second suspect, Anatoly Kravchuk, a 43-year-old Ukraine-born Russian citizen, was also named, with investigators alleging he served as a developer for the group. German investigators believe both men are currently residing in Russia.

Both GandCrab and REvil operated under a ransomware-as-a-service model, in which developers created the malicious encryption software and rented it out to affiliates who carried out attacks in exchange for a share of the profits. REvil quickly became one of the most aggressive ransomware groups globally, targeting high-profile victims including Lady Gaga’s law firm, major software provider Kaseya, and US meat-processing giant JBS.

REvil’s servers were eventually seized by law enforcement in late 2021, and seven individuals connected to the operations were arrested. In January 2022, Russian authorities announced further arrests, and four members of the group were ultimately sentenced to prison in 2024. Despite this, Shchukin remained unidentified publicly until now. The BKA’s move marks a significant step in the long-running effort to hold the architects of ransomware-as-a-service accountable, even as the suspects remain beyond the reach of Western extradition.

Related Content

Four Ways CTEM Fails Without ASM
Post

What Are the Four Ways CTEM Fails Without ASM?

ASM
Read
How Do You Build an Attack Surface Management Program
Post

How Do You Build An Attack Surface Management Program?

ASM
Read
A Complete Guide to Continuous Threat Exposure Management
Post

Your Complete Guide to Continuous Threat Exposure Management

CTEM
Read
How Modern ASM Uncovers Hidden Risks in Real Time
Post

Why Do Most Ransomware Defenses Start Too Late?

Ransomware
Read
The 2026 ‘Forum Wars’: Deconstructing the BreachForums Drama
Post

The 2026 ‘Forum Wars’: Deconstructing the BreachForums Drama

Dark Web Forums
Read
Post

March 30th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
Post

The Warning Signs Were There: How Credential Leaks and Dark Web Activity Foreshadowed the Stryker Breach

Cyber Risk Threat Intelligence
Read
You Don't Have to Be Attacked to Be a Ransomware Victim
Post

You Don’t Have to Be Attacked to Be a Ransomware Victim

Ransomware
Read
Post

March 24th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read