This month focuses on the Email Bombing and Vishing Combo being used by Threat Actors, the data breach of the Nigerian fintech platform Oxygenapp.co, the Threat Actor claiming to have access to CBN and CIBN web portals, and a campaign by cybercriminals using fake installers of popular AI tools to distribute malware to users.

Email Bombing and Vishing, The New Favored Tactic?

3AM joins a not-so-elusive list of ransomware groups that have adopted a combined method of email bombing and vishing as a primary attack vector. The combo tactic was first linked to the Black Basta ransomware group.

Summary

• Researchers first observed an attack in Q1 2025 by 3AM affiliates where data was exfiltrated but the ransomware was not ultimately deployed.
• The typical pattern involves overwhelming the target with unsolicited emails, followed by a vishing (voice/video) call via Microsoft Teams where the attacker impersonates IT support and asks for remote access.
• 3AM actors conducted pre-attack reconnaissance, collecting employee email addresses and spoofing the internal IT department’s phone number to improve the credibility of the vishing call.
• In one case, the victim received 24 spam emails in 3 minutes, after which a spoofed IT call tricked them into granting remote access via Quick Assist, leading to QDoor Trojan deployment.
• Although the ransomware execution was stopped, the attackers remained on the network for nine days, during which they stole data.
• 3AM ransomware was first reported by Symantec in 2023 and is suspected to be a rebrand of BlackSuit/Royal ransomware, with ties to the former Conti group.
• The rise of free and paid email bombing services has made it easier for attackers to flood inboxes, a trend now used to overwhelm and confuse victims.
• Traditional email security systems struggle to flag these emails as malicious, and bulk blocking risks interfering with legitimate communications.
• Organizations should focus on staff awareness training, clear IT communication protocols, strong password policies, and application control to mitigate social engineering and malware delivery attempts.
• Read more about it here.

Oxygenapp.co Suffers Major Data Breach

Oxygenapp.co has become the latest victim of a data breach that exposed records of thousands of its customers.

Summary

• A threat actor named el_farado published sensitive data allegedly stolen from Oxygenapp.co on a dark web forum on June 2, 2025.
• The leak includes over 47,000 account records, 23,000 buyer records, 11,000 customer profiles, and 9,000 borrower entries, along with a 11MB financial CSV file.
• The exposed files appear well-organized (e.g., accounts.csv, buyers.csv, helppo_pay_requests.csv), making them easily usable for bulk exploitation.
• The dump contains highly sensitive KYC materials such as ID photos, videos, NIN slips, and proof of address, creating significant risks of identity theft and financial fraud.
• To mitigate the risks of identity theft and financial fraud, we recommend the following steps;

• Implement strong encryption for sensitive data at rest and in transit.
• Proactively monitor endpoints and networks using IDS’ and EDRs
• Limit data collection and retention to only what is necessary.
• Enforce access control policies and regular audits of internal systems.
• Use MFA where necessary. 

• Read more about it here.

Threat Actor Claims Portal Access to CBN and CIBN Portals

A hacker using the alias icikevin claims to have breached the databases of the Central Bank of Nigeria (CBN) and the Chartered Institute of Bankers of Nigeria (CIBN), offering access for sale on a dark web forum for $2,500.

Summary

• The actor states they exploited a vulnerability in the CBN and CIBN portals using SQLmap, an automated SQL injection tool, to enumerate and access backend databases.
• The compromised databases reportedly include cbn, cibndb, cibnset, and msdb. They may contain sensitive financial and institutional data critical to Nigeria’s banking infrastructure.
• To mitigate the risk of SQL injection-related vulnerabilities, we recommend that organizations immediately assess and patch any discovered SQL vulnerabilities, deploy web application firewalls, implement input sanitization to prevent future injection attacks, and notify the relevant parties in case they suspect a data breach of some sort.
• Read more about it here

New Campaign Sees Cybercriminals Target AI Users with Malware loaded fake Installers

Threat actors are distributing fake installers for AI tools like OpenAI ChatGPT and InVideo AI to spread ransomware and destructive malware, including CyberLock, Lucky_Gh0$t, and Numero.

Summary

• CyberLock, a PowerShell-based ransomware, encrypts files on the C:, D:, and E:\ partitions, demands $50,000 in Monero, and uses cipher.exe /w to wipe unused disk space, hindering file recovery.
• Lucky_Gh0$t malware is a variant of the Yashma/Chaos ransomware that is spread via malicious SFX installers posing as ChatGPT tools and targets files smaller than 1.2GB, deleting shadow copies and backups.
• Numero, on the other hand, is a C++-based destructive malware that disables Windows GUI elements by continuously executing through a batch-VBS script loop, rendering systems unusable.
• The campaign focuses on B2B sales and marketing professionals, leveraging their interest in AI tools to propagate malicious downloads.
• A known fake website, novaleadsai[.]com, promotes a counterfeit NovaLeads tool using SEO poisoning and delivers ransomware via a .NET loader (NovaLeadsAI.exe).
• Similar malvertising campaigns have been observed in the past that uses Facebook and LinkedIn ads to drive users to cloned websites of AI tools like Luma AI, Canva Dream Lab, and Kling AI.
• Victims of these campaigns download STARKVEIL, a Rust-based dropper that delivers three malware families: GRIMPULL (TOR downloader), FROSTRIFT (data-stealing .NET backdoor), and XWorm (RAT with keylogging, screen capture, etc.).
• STARKVEIL also drops COILHATCH, a Python-based dropper that side-loads malicious DLLs to ensure persistence and evade defenses using modular architecture.
• These campaigns highlight the growing exploitation of AI’s popularity in cyberattacks. The tools are now a mass-market lure, not limited to tech or creative professionals. 
• Read more about it here

Sources

• https://www.darkreading.com/threat-intelligence/3am-ransomware-adopts-email-bombing-vishing
• https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know
• https://cyhawk-africa.com/national-agency-for-land-conservation-in-morocco-database-hacked/
• https://cyhawk-africa.com/dark-web-actor-claims-access-to-cbn-and-cibn-portals/
• https://thehackernews.com/2025/05/cybercriminals-target-ai-users-with.html