ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
Digital forensics is shifting from reactive to strategic. Join CyberWire Daily host Dave Bittner on Wednesday, June 11 at 1:00pm ET for a live discussion with experts from Magnet Forensics on key insights from the State of Enterprise DFIR Report. Learn how top teams are evolving their tools, workflows, and talent to reduce risk and respond faster to complex incidents. Register now to join live or access it on-demand.
An international law enforcement operation coordinated by Europol and Eurojust has dismantled infrastructure used by popular initial access malware strains. The operation targeted Qakbot, Trickbot, Bumblebee, Lactrodectus, Hijackloader, DanaBot, and Warmcookie. Europol notes that these malware strains are frequently used to stage ransomware: "From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
Additionally, the US Justice Department has indicted a 48-year-old Russian national, Rustam Rafailevich Gallyamov, as the alleged leader of a group of criminals who developed and deployed the Qakbot malware. The DOJ has also filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov.
Separately, law enforcement agencies in the US, Europe, and Japan disrupted the Lumma Stealer malware operation, seizing the infostealer's infrastructure, domains, and marketplaces. Microsoft, which assisted in the takedown, stated, "Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Luma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims. Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes."
Now in its 30th year, Infosecurity Europe brings together the cybersecurity community to explore innovations, share expertise, and evaluate solutions. Join thousands of decision-makers at ExCeL London for keynotes, demos, and networking aimed at securing the digital future. Register today!
A 19-year-old from Massachusetts named Matthew D. Lane has agreed to plead guilty to his involvement in hacking education software provider PowerSchool late last year, BleepingComputer reports. Lane, who attends college at Assumption University in Worcester, will plead guilty to one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.
The Justice Department says Lane and his co-conspirators hacked a telecommunications company and "a software and cloud storage company that served school systems," and attempted to extort both companies. The DoJ didn't name the victims, but BleepingComputer cites sources as saying the latter entity was PowerSchool. The attackers threatened to leak sensitive personal data belonging to 60 million students and 10 million teachers if the company didn't pay approximately $2.85 million in Bitcoin. PowerSchool did pay a ransom, but the threat actors apparently kept a copy of the data and are now trying to extort individual school districts.
CyberScoop cites a source as saying Lane was affiliated with the ShinyHunters cybercriminal group.
British retailer Marks & Spencer (M&S) expects the cyberattack the company sustained last month to cause losses of around £300 million ($402 million), nearly one-third of the company's annual profits, CNBC reports. The retailer doesn't expect to fully recover from the incident until July.
M&S's CEO Stuart Machin disclosed that the hackers gained access through a third-party contractor, stating, "Unable to get into our systems by breaking through our digital defences, the attackers did try another route resorting to social engineering and entering through a third party rather than a system weakness." Reuters cites a source as saying this contractor was Tata Consulting Services, which M&S uses for helpdesk support.
BleepingComputer says the incident was a ransomware attack in which "threat actors used a DragonForce encryptor to encrypt virtual machines on VMware ESXi hosts."
The UK's Ministry of Justice has disclosed a "significant" breach affecting Legal Aid's online system, with hackers stealing "a significant amount of personal data" belonging to individuals who applied through the service since 2010. The stolen data "may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status, and financial data such as contribution amounts, debts, and payments."
The BBC notes that the breach "covers all areas of the aid system - including domestic abuse victims, those in family cases and others facing criminal prosecution."
According to the Guardian, British authorities believe the hack was carried out by a criminal gang, not a state-sponsored actor.
Numerous intelligence agencies from the US, Europe, Australia, and Canada have issued a joint advisory outlining a Russian cyberespionage campaign targeting Western logistics entities and IT companies, including "those involved in the coordination, transport, and delivery of foreign assistance to Ukraine." The agencies attribute the campaign to the Russian GRU's 85th Main Special Service Center, military unit 26165, commonly known as "APT28" or "Fancy Bear." The advisory notes that the campaign is "likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations." The threat actor is using password spraying, spearphishing, and modification of Microsoft Exchange mailbox permissions to gain access to targeted entities.
President Trump yesterday signed the Take It Down Act, which criminalizes the distribution of nonconsensual intimate images (NCII), including AI deepfakes and revenge porn. Offenders could face up to three years in prison, plus fines. The law also requires social media companies to set up processes to remove NCII within 48 hours of being alerted.
The bill unanimously cleared the Senate in February and passed the House 409–2 in April. POLITICO notes that many industry and victim advocate groups support the bill, though some digital rights organizations worry the law could be misused for censorship.
Today's issue includes events affecting , and .
