MSP cybersecurity news digest, March 14, 2025 - acronis.com

Home Articles Acronis Threat Research Unit March 21, 2025 MSP cybersecurity news digest, March 14, 2025 IT supply chains targeted by Chinese cyber-espionage group Silk Typhoon, U.A.E. aviation sector suspected to have been attacked by Iranian-aligned threat actor, and more. Here are the latest threats to MSP security. Author: Acronis Threat Research Unit IT supply chains targeted by Chinese cyber-espionage group Silk Typhoon   Researchers report that the Chinese cyber-espionage group Silk Typhoon has shifted its focus to supply chain attacks, targeting remote management tools and cloud services to access downstream customer networks. The group has breached multiple industries, including government, IT services, health care, defense, education, NGOs and energy, by exploiting unpatched applications to escalate privileges. They leverage stolen API keys and compromised credentials from IT providers and identity management services, RMM solutions to infiltrate cloud environments stealthily. Previously known for exploiting zero-day vulnerabilities in edge devices, Silk Typhoon now relies on abusing cloud applications to steal data while erasing logs to minimize detection. The attackers scan public repositories like GitHub for leaked credentials and conduct password spray attacks to gain unauthorized access. Microsoft recently observed the group exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN to breach corporate networks.   Infostealers and cryptominers unleashed from Eastern Europe, targeting over 4,000 Chinese and U.S. ISPs   A large-scale cyberattack from Eastern Europe is targeting ISPs in China and the U.S. West Coast to deploy infostealers and cryptominers on compromised systems. Threat actors use brute-force attacks on weak credentials to gain access, then install malware that exfiltrates data, ensures persistence, and disables security defenses. The attackers rely on scripting languages like PowerShell and Python to execute commands stealthily, leveraging API calls via Telegram for command-and-control (C2) operations. Once inside, they drop binaries in a folder named “Migration,” disable security features, and use tools like masscan.exe for network scanning. The malware also captures screenshots and cryptocurrency wallet addresses from victims’ clipboards, sending the stolen data to its C2 infrastructure. The attack is designed to minimize its footprint while maximizing processing power for cryptomining, blocking remote access and avoiding detection.   Sagerunex backdoor variants released by Chinese APT Lotus Panda target organizations in several Asian countries   The Chinese APT group Lotus Panda has been observed targeting governments, manufacturing, telecommunications and media sectors in the Philippines, Vietnam, Hong Kong and Taiwan with updated variants of the Sagerunex backdoor. Active since at least 2009 and also known as Billbug or Lotus Blossom, the group has a history of cyber espionage, previously breaching a digital certificate authority and government agencies across Asia. The latest campaign introduces two "beta" versions of Sagerunex, which exploit legitimate services like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection. The Zimbra variant, in particular, allows attackers to issue commands directly through webmail content, with the results of executed commands stored in draft emails for exfiltration. Additionally, Lotus Panda deploys tools such as a Chrome cookie stealer, the Venom proxy tool, and privilege escalation utilities to enhance persistence and control over compromised systems. The group also performs reconnaissance using system commands and adapts to network restrictions by leveraging proxy settings or the Venom tool to maintain access.   Enterprises in Spanish-speaking South American regions hit after threat actor Dark Caracal deploys Poco RAT   Researchers have uncovered another campaign back from 2024 linking the threat actor Dark Caracal to the deployment of Poco RAT, targeting Spanish-speaking regions in Latin America. Poco RAT has got espionage capabilities, can upload files, capture screenshots, execute commands, and manipulate system processes. Initially documented in July 2024 in phishing attacks against industries like mining and manufacturing, it was later connected to Dark Caracal by researchers, highlighting similarities with the group's previous operations, such as the 2021 Bandidos cyber espionage campaign. In this campaign the attackers continue to use phishing emails with invoice-themed lures, leading victims to download malicious files from cloud services like Google Drive and Dropbox. Once installed, Poco RAT grants full remote access to compromised systems, enabling data theft and further malicious actions.   U.A.E. aviation sector suspected to have been attacked by Iranian-aligned threat actor   A suspected Iranian-aligned threat actor leveraged a compromised Indian electronics company’s email to launch a targeted phishing campaign against fewer than five entities in the U.A.E. aviation and satellite communications sectors. The attackers, tracked as UNK_CraftyCamel, distributed a malicious ZIP file containing polyglot files that installed a custom Golang backdoor named Sosano. The phishing emails originated from a spoofed domain impersonating INDIC Electronics, a trusted business partner of the targets, making the attack highly deceptive. Once executed, the Sosano backdoor connected to a command-and-control (C2) server, allowing attackers to execute commands, download additional payloads and manipulate system directories. Researchers found no direct overlap with existing threat actors but assess that the campaign is likely linked to an Iranian-aligned group, possibly affiliated with the IRGC. On this page IT supply chains targeted by Chinese cyber-espionage group Silk Typhoon Infostealers and cryptominers unleashed from Eastern Europe, targeting over 4,000 Chinese and U.S. ISPs Sagerunex backdoor variants released by Chinese APT Lotus Panda target organizations in several Asian countries Enterprises in Spanish-speaking South American regions hit after threat actor Dark Caracal deploys Poco RAT U.A.E. aviation sector suspected to have been attacked by Iranian-aligned threat actor Share twitter facebook linkedin reddit Related articles Acronis Cyberthreats Update, March 2026 Vidar Stealer 2.0 distributed via fake game cheats on GitHub and Reddit MSP cybersecurity news digest, March 16, 2026 MSP cybersecurity news digest, March 9, 2026 Opt out of sale of personal data and targeted advertising When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link. More information Allow All Manage Consent Preferences Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Sale of Personal Data and Targeted Advertising Sale of Personal Data and Targeted Advertising Third party trackers collect information to use for analytics and to personalize your experience with targeted ads. Under the Colorado CPA, the Virginia CDPA, the Texas DPSA, the Oregon CPA, the Montana CDPA, and the Florida DBR, you have the right to opt-out of the sale of your personal data to third parties, of targeted advertising related processing, and of some types of profiling. You may exercise your rights by using the toggles below. If you opt out, the ads and content that you see may not be as relevant to you. Under the Colorado CPA, you have the right to opt back in to these categories at any time should you initially choose to opt out, and you may do so using the same toggles provided below. For more details on the data we process and how to exercise your rights, and to view information related to required opt-in disclosures, see our Privacy Policy Targeting Cookies Switch Label label These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Switch Label label These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Cookie List Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices