MOXFIVE Monthly Insights - May 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

May Highlights

Ransomware activity was lower than usual throughout May 2025 likely due to threat actors still adjusting to the operational disruption caused by RansomHub’s disappearance in April. Qilin and Play were the most active variants this month, with increased volume likely tied to shifting affiliate activity.

This report also highlights the exploitation of critical vulnerabilities in SAP NetWeaver and Ivanti EPMM, both of which have been actively exploited by threat actors. The featured case study examines how threat actors use living off the land (LOTL) techniques to evade detection and escalate access post-compromise. The Resilience Spotlight outlines key controls for identifying and disrupting this behavior through behavioral monitoring and credential auditing.

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• SAP NetWeaver Remote Code Execution Vulnerability (CVE-2025-31324): This critical vulnerability in SAP’s Visual Composer component allows unauthenticated attackers to upload malicious files and gain remote code execution. Actively exploited by ransomware groups including Qilin, BianLian, and RansomEXX throughout May, the vulnerability has been used to compromise SAP NetWeaver systems globally. SAP issued a patch in April, but unpatched systems continued to be targeted in May.
  
• Ivanti EPMM Exploit Chain (CVE-2025-4427 & CVE-2025-4428): These two vulnerabilities, affecting Ivanti Endpoint Manager Mobile, were chained together by threat actors to bypass authentication and execute code remotely. Exploitation has been attributed to a China-nexus espionage group, with observed activities including unauthorized access and data exfiltration from exposed Ivanti servers. Ivanti released patches in early May to mitigate both vulnerabilities.

Ransomware activity levels remained relatively low throughout May 2025, likely due to threat actors still transitioning away from RansomHub following its disappearance in April. Qilin’s elevated volume may be tied to this shift, as the operators offer a similar payment structure that could appeal to former RansomHub affiliates.

• Play ransomware was the most active variant seen in May. Threat actors using Play often gain access by exploiting vulnerabilities in exposed services and domain controllers before moving laterally and deploying ransomware.
  ‍
• Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group active since 2022. Affiliates use tailored payloads for Windows and Linux environments, with operators offering generous commissions, reportedly as high as 85%, to attract experienced partners.
  ‍
• Akira, SafePay, and Inc. followed as the next most active variants. While their activity trailed the top groups, each maintained a steady presence and remains active in ongoing campaigns.

Figure 1: Top ransomware variants based on number of known victims.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin and Akira.

Manufacturing & Production remained the most impacted industry in May based on observed ransomware leak site activity. Construction & Engineering followed as the second most targeted, with both sectors frequently affected across multiple ransomware variants due to their operational dependencies and sensitivity to disruption.

Technology, Healthcare, and Education also ranked among the top targeted industries, reflecting the continued spread of ransomware across critical services, infrastructure, and institutions.

Figure 2: Top industries impacted by ransomware this month.

‍These rankings are based on observed ransomware data leak
site (DLS) activity for impacted organizations in the United States.

Living off the Land
Advanced threat actors often rely on “living off the land” (LOTL) techniques to persist within compromised environments, evade detection, and escalate access. Rather than deploying malware, they abuse legitimate tools and cloud-native features already present in the environment to blend in with normal activity.

One group known for using these tactics is Scattered Spider, which has demonstrated the use of native tooling to support lateral movement, persistence, and data staging all while evading traditional detection.

LOTL techniques are commonly observed during ransomware investigations, particularly in the post-compromise phase when threat actors begin expanding access and preparing data for exfiltration. MOXFIVE has observed the following LOTL behaviors across recent cases:

• PowerShell and WMI used for remote command execution, system reconnaissance, and lateral movement.
• Mounting domain controller virtual machines as a data drive to another virtual machine to copy off the Active Directory credential database (NTDS.DIT).
• Scheduled tasks to establish persistence under the guise of routine system operations.
• Tunneling utilities (e.g., SSH, Chisel) to maintain outbound access and bypass network segmentation.
• RVTools and similar inventory tools to collect metadata from virtual infrastructure.
• Extraction of credentials from browser-based password managers and cloud key vaults to support privilege escalation.
  
• Cloud-native scripting and automation (e.g., Azure runbooks, AWS SSM) used to execute tasks from within trusted platforms.

Detecting & Disrupting LOTL Activity
Living off the land techniques often evade traditional detection methods by leveraging legitimate tools and processes. Detecting and disrupting this activity requires greater behavioral visibility and monitoring of native tool usage. The following controls can help improve detection and limit post-compromise escalation:

• Establish Baselines for Native Tools: Monitor usage of PowerShell, WMI, and scheduled tasks. Flag activity that deviates from expected behavior, especially when initiated by non-administrative users.
• Audit Credential Access: Track access to browser-based password managers, cloud key vaults, and PAM solutions. Alert on unusual credential reads, exports, or access from unexpected accounts.
• Restrict Tunneling Utilities: Limit which binaries (e.g., PowerShell, curl, certutil) are permitted to initiate outbound connections. Block or closely monitor tunneling tools such as Chisel and ngrok.
• Centralize Telemetry Across Domains: Aggregate logs from endpoints, identity platforms, and cloud infrastructure. Use behavioral analytics to surface activity that may be missed by traditional signature-based tools.
• Harden Cloud Automation Services: Apply least privilege to cloud-native scripting tools like AWS Systems Manager and Azure Automation. Restrict execution rights to known, trusted accounts only.

Improving visibility into legitimate tool usage and tightening control over credential access and automation pathways can help reduce dwell time and disrupt post-access activity before it escalates.

Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.