North Korean IT workers expand operations across Europe

North Korea’s covert IT workforce, often called “IT warriors,” is increasingly targeting companies in Europe after facing sanctions in the United States. According to Google’s Threat Intelligence Group (GTIG), workers linked to the DPRK regime are fraudulently securing remote jobs in countries like Germany, Portugal, and the UK by posing as freelancers from other nations.

Using fake or stolen identities from places including Italy, Japan, Ukraine, and the US, these individuals apply via platforms such as Upwork and Freelancer. Payments are laundered through cryptocurrency and services like Payoneer and Wise.

GTIG linked some of these operatives to roles in AI, blockchain, CMS development, and even defence-related projects. The UK's Office of Financial Sanctions Implementation has warned that hiring such individuals could breach sanctions.

The US has indicted several involved in these schemes and warned of extortion risks, with fired workers threatening to leak stolen data. Authorities worldwide are urging vigilance.

Apple issues urgent fix for three exploited zero-days

Apple has released emergency updates to patch three actively exploited zero-day vulnerabilities—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085—affecting iPhones, iPads, Macs, and other Apple devices. Users are urged to update immediately.

CVE-2025-24200 allows attackers with physical access to bypass USB Restricted Mode on locked devices, a key protection against forensic tools. This flaw was discovered by Citizen Lab and linked to a highly targeted attack.

CVE-2025-24201 affects Safari’s WebKit engine and could let malicious web content escape the browser sandbox. It appears to be a supplementary fix for earlier attacks blocked in iOS 17.2.

CVE-2025-24085 is a CoreMedia flaw enabling privilege escalation via malicious apps, also tied to attacks on older iOS versions.

Apple has issued patches across all platforms, including iOS, macOS, watchOS, and tvOS. Users are advised to update immediately, avoid unknown apps, and consider enabling Lockdown Mode for extra protection.

Russian Railways hit by DDoS attack, Ukrzaliznytsia recovers from outage

Following last week’s cyber attack on Ukraine’s railways this week saw Russian Railways, the state-owned rail company, confirm that it was hit by a massive DDoS attack that disrupted its website and mobile app, leaving users unable to access online ticketing services. The company assured the public that ticket sales at stations and terminals remain fully operational.

According to reports the cyberattack caused widespread outages, with the mobile app reportedly freezing. No further details about the perpetrators or impact have been disclosed at this time.

The news follows recent issues with Ukraine’s Ukrzaliznytsia, which suffered a technical failure on March 23 that temporarily halted online ticket sales and service access. By March 27, normal service had resumed. The Ukrainian operator clarified that it does not store passenger or military cargo data, reducing concerns about potential data leaks.

As of March 30, Ukrzaliznytsia has restored additional services, including online display boards at major stations and discounted ticket options for passengers with disabilities.

CISA warns of new Ivanti malware variant Resurge

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a new malware strain named Resurge, actively exploiting CVE-2025-0282—a critical stack buffer overflow flaw in Ivanti Connect Secure appliances. First disclosed in January, the vulnerability was linked to a China-based espionage group, UNC5337.

Resurge shares traits with the Spawn malware family, previously deployed in other Ivanti attacks, but shows more advanced capabilities, including manipulating integrity checks and surviving system reboots. It can plant web shells, steal credentials, create new accounts, and tamper with boot images.

CISA discovered Resurge on a critical infrastructure organisation’s compromised device, alongside another variant, SpawnSloth, which hides activity by altering logs.

With nearly 400 organisations already compromised, CISA urges immediate action—recommending factory resets with clean images to ensure remediation. Ivanti has advised all customers to patch promptly and follow its guidance to mitigate risk and restore device integrity.

Critical flaws in popular WordPress plugin put 20,000+ sites at risk

Security researchers have uncovered two high-risk vulnerabilities in the WP Ultimate CSV Importer plugin, affecting over 20,000 WordPress websites. The flaws, allow authenticated users with at least subscriber-level access to upload arbitrary files and delete critical ones—potentially leading to complete site takeover.

Tracked as CVE-2025-2008 and CVE-2025-2007, the vulnerabilities affect plugin versions up to 7.19. One is an arbitrary file upload flaw (CVSS 8.8), letting attackers upload malicious PHP files and execute remote code. The other is a file deletion bug (CVSS 8.1) that can wipe wp-config.php, forcing a site reset and enabling hijack of the setup process.

The issues were responsibly disclosed to the developer, Smackcoders, who issued a patch (v7.19.1) on 25 March. all WordPress users are urged to update immediately, given the critical impact of these flaws and the ease with which attackers could exploit them.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.