In today’s cybersecurity news…
Ransomware knocks Dutch healthcare vendor offline
The attack impacted the Dutch software vendor ChipSoft, which provides patient record software to 80% of Dutch healthcare facilities. The Netherlands computer emergency response team, Z-CERT, said it received a notification of a ransomware attack on the company as of April 7th. Local news outlet NOS reports 11 hospitals have pulled ChipSoft software offline after the attack. No group has claimed responsibility for the attack, and it’s unclear whether ChipSoft is in negotiations over a ransom.
APT28 is keeping busy
Remember that warning from the UK’s National Cyber Security Centre about a campaign by APT28, aka Fancy Bear and Forest Blizzard, that was targeting TP-Link and MikroTik routers? Well, a joint operation from the FBI, Microsoft, and Lumen’s Black Lotus Labs put up a roadblock to the operation. Dubbed Operation Masquerade, the parties worked to reset DNS settings to prevent APT28 from using the routers as a means of further access. A report from Microsoft said the espionage network impacted over 200 organizations and 5,000 consumer devices, although Lumen said it found no evidence that US government agencies were impacted.
Don’t worry about APT28, they’re still keeping busy. Trend Micro released a report on a spear-phishing campaign by the group that used a new malware suite called PRISMEX. This “combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control.” The campaign targeted organizations in Ukraine, including government entities and critical infrastructure, and included details on NATO partnerships.
CIA quietly elevated its cyber espionage division
Since 2015, the CIA’s Center for Cyber Intelligence resided within the Directorate of Digital Innovation. However, Recorded Future News confirmed that in October 2025, CIA Director John Ratcliffe elevated the unit into a full mission center. CIA spokesperson Liz Lyons said the move “enhances CIA’s ability to deliver the best intelligence on foreign cyber threats to policymakers, ensure that no target is beyond the reach of our capabilities, and drive continued improvement of cyber tradecraft.” This will see the Center’s leadership report directly to Radcliffe. According to a former intelligence officer speaking to Recorded Future News, this type of elevation occurs when a Director deems something a “huge strategic priority.” There was no public announcement of the move last fall, possibly due to the government shutdown, but Congress was informed of the change.
The Bitter truth about hack-for-hire campaign
A joint report from Access Now, Lookout and SMEX details a hack-for-hire campaign by a group with suspected links to the Indian government known as Bitter. This campaign targeted civil society members in the Middle East and North Africa with spyware. This campaign has been active since at least 2022, using spear-phishing through fake social media accounts to install Android ProSpy spyware. Details on ProSpy were first released last year by ESET, which profiles its use on United Arab Emirates residents.
Huge thanks to our sponsor, Vanta
Details on the Masjesu botnet
Researchers at Trellix released a report on this botnet, which has been active since at least 2023. The operators advertise the botnet on Telegram to both Chinese and English speakers, offering DDoS-as-a-service. The botnet enrolls IoT devices, primarily in Vietnam, but also in Brazil, India, Iran, Kenya, and Ukraine. It obfuscates its presence by forking processes and dynamically renaming the original executable path every 15 minutes in order to appear a regular system component. It also terminates wget and curl processes and locks out temporary folders to prevent infection by other botnets. Right now the Telegram channel of Masjesu has over 400 subscribers, but researchers estimate its customer base to be much larger.
Claude finds teenage Apache bug
With Anthropic’s Mythos Preview model, we’ll likely see an explosion of fairly complex exploit chains using some very old bugs. But you don’t need to wait for Mythos access. Horizon3.ai published details on a remote code execution bug in Apache ActiveMQ Classic, effectively “hiding in plain sight” for the past 13 years. This allows for an attacker to use ActiveMQ’s API to trigger a management operation that can fetch a remote config file and run OS commands. In some versions, no credentials are needed when chained to another API vulnerability, effectively turning it into unauthenticated remote code execution. Researchers mostly used Claude to find the flaw, which they said remained undiscovered because it used “multiple components developed independently over that time.” “AI finds vulnerability” might not be a headline in the near future, but this seemed like a good preview of what Mythos and other models are increasingly making commonplace.
NHS Scotland domains serving illicit content
Former cybersecurity engineer Nick Hatter discovered multiple domains operated by Scotland’s healthcare provider that served illicit content, mostly porn and illegal sports streams. These links appear to have been created back in January and were associated with The New Surgery facility in Kilmacolm. A spokesperson for the NHS Greater Glasgow and Clyde said these compromised domains were for legacy sites administered by local general practitioners and showed no evidence of compromise to NHS systems. Hatter also found compromised primary domains for another GP in the Shetland Isles. It’s not clear how the domains were compromised, but Hatter believes a DNS attack or a compromised WordPress setup the most likely.
Minnesota calls in the National Guard after cyberattack
Minnesota Governor Tim Walz sent in the National Guard to Winona County, citing a cyberattack that caused “significant disruptions.” The Guard will help ensure “vital municipal services continue without interruption.” Back on January 23rd, Winona County officials said they had suffered a ransomware attack, but Walz’s executive order this week does not say if this is related to the incident that occurred this week. County officials are working with the FBI and state IT Services to recover.