Threat Intel Content Update: 6/3/2025

APT41, DragonForce Ransomware Group, Void Blizzard, Luna Moth

Threat Content Highlights

Threat Objects & Profiles

• Added & updated many objects based on newsworthy CTI from the past week-plus. Highlights include:
   
  • TOUGHPROGRESS: Added a Campaign object & associated Software and updated the APT41 Group object (Chinese state-sponsored espionage actor). The group made headlines last week for an “innovative” attack leveraging Google Calendar events for its command & control activities.
    • The Campaign object is the focus for this week’s update to our “Trending & Emerging Threats” curated Threat Profile available by default for all clients.
      
      
  • DragonForce Ransomware Group: A group we highlighted in our May 6 update as a rising concern. Last week, incident responders reported a concerning incident where DragonForce actors exploited vulnerabilities to compromise a tool managed by an MSP, to then move laterally and deploy ransomware on the firm’s clients’ systems.
    
    
  • Void Blizzard: Added a Group & TTPs around the newest documented Russian espionage APT, as recently reported by Microsoft & Dutch cyber officials.
    
    
  • New Campaign based largely on new Microsoft reporting, around an existing Turkey-based espionage group. Underscores ongoing coverage beyond just the “big 4” adversarial cyber nations.
    
    
  • Luna Moth: Updated Group object after an FBI warning about a recent spree of attacks. Luna Moth is notorious for effectively leveraging “voice phishing” social engineering to gain network access, a vector that was the focus of our April 15 “Trending & Emerging Threats” update and flagged in that week’s email update.