• Products & Services
  • Community & Resources
  • Why ConnectWise
  • Support
Get Started
Explore Business Management
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
Payments automation to increase cash flow and streamline processes
Business Management Packages
Curated packages designed to streamline, standardize, and automate your business processes
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
WisePay
Payment automation to increase cashflow and streamline processes
Business Management Packages
Optimize your business operations through curated packages designed to streamline, standardize, and automate your business processes
Explore Business Management

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now>>

Explore Cybersecurity
MDR
Monitor and stop malicious activity on endpoints
SIEM
Centralize threat visibility and analysis
SaaS Security
Deliver, manage, and monetize cloud security more easily
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
MDR
Monitor and stop malicious activity on endpoints
MDR for Microsoft 365
Monitor, protect, and remediate Microsoft 365 exposures
SIEM
Centralize threat visibility and analysis
Co-Managed SIEM
Deploy 24/7 managed detection and response with SOC services
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
Security Dashboard
AI-Driven MSP cybersecurity solutions
Explore Data Protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
x360Recover
Hyper-flexible disaster recovery and business continuity
Cloud Backup
Intelligent data protection for Microsoft 365
x360Cloud
SaaS application data protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
Backup360
Comprehensive MSP backup management
Explore Cybersecurity and Data Protection

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now >>

  • IT Nation

    Industry events and networking

  • ConnectWise

    Peer groups and product training

  • Open Ecosystem

    Top-rated vendors and integrations

  • Resources

    Business-driving insights and guidance

IT Nation
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
Explore The IT Nation

Join the premier cybersecurity conference for MSPs.
Register Now>>

  • About Us

    Company profile, values, and leaders

  • News

    The latest ConnectWise updates

  • Markets

    Roles and industries we support

The only truly unified platform purpose-built for MSPs.
Learn more >>

  • Partner Support

    ConnectWise solution resources

  • Partner Education

    Certifications and resources

Monthly Threat Brief: March 2025

Posted:
04/21/2025
| By:
Bryson Medlock

Welcome to the March 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the MSP and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment.

From emerging ransomware trends to zero-day exploits and the latest in stealer malware, our analysis highlights what matters most and what to watch in the months ahead.

Top stories for March 2025

Emerging ransomware tactics: Black Basta and Cactus Groups

Recent intelligence shows that ransomware groups Black Basta and Cactus are adapting their techniques to maintain access and evade detection more effectively. Black Basta, which has been active since 2022, has moved away from relying on malware, such as QakBot, due to its disruption by law enforcement. They now use BackConnect (BC), a remote access proxy tool that provides persistent command execution and data exfiltration capabilities. Cactus, a ransomware group first seen in 2023, is also using BackConnect in a similar manner, raising concerns about potential collaboration or shared tooling between the two groups.

Both groups are using social engineering to bypass technical defenses. A common tactic involves overwhelming targets with email bombing, followed by impersonation of IT personnel via Microsoft Teams. Victims are tricked into granting remote access through built-in tools, such as Windows Quick Assist, allowing attackers to enter networks under the guise of legitimate support. These methods enable attackers to blend into enterprise environments and persist longer without detection.

What this means for MSPs

MSPs must stay alert to these evolving tactics by deploying behavioral detection tools that can identify misuse of legitimate IT tools and abnormal user interactions. Regular staff training is critical to help users identify fake support attempts and phishing activity. MSPs should also ensure systems are patched promptly, and they monitor for lateral movement, use of remote access utilities, and unexpected process behavior linked to tools such as BackConnect.

Large-scale malvertising campaign targets nearly one million devices

A widespread malvertising campaign active in December 2024 compromised close to one million devices globally. The campaign targeted users visiting illegal streaming sites, where malicious ads embedded in video frames initiated redirection chains through several intermediary websites. Eventually, victims were led to platforms such as GitHub, Discord, or Dropbox, where the attackers hosted multi-stage payloads. The first-stage dropper established initial access, followed by reconnaissance and data exfiltration. Based on system profiling, additional malware—including Lumma stealer, updated Doenerium variants, and NetSupport RAT—was deployed to enable further exploitation and persistence.

The attackers used living-off-the-land binaries (LOLBAS) such as PowerShell.exe and MSBuild.exe to avoid detection. They employed obfuscated scripts, reverse shells, and process injection into Explorer.exe to hide activity. Persistence was maintained through modified registry keys, startup folder shortcuts, and WMI event consumers. While digital certificates used in the attacks were later revoked and infrastructure taken down, many affected systems remained compromised into January 2025. The use of legitimate platforms for payload delivery significantly complicated detection and response efforts.

What this means for MSPs

MSPs must adjust security strategies to account for threats delivered through trusted cloud services. SMBs often use platforms such as GitHub and Discord for daily operations, which attackers are now exploiting. Endpoint controls must enforce strict execution policies, and downloads from cloud platforms should be monitored for suspicious behavior. MSPs should help clients implement behavioral detection tools, restrict unnecessary file access, and define policies for verifying files before execution. This campaign underscores the need for layered defenses beyond perimeter security, especially for clients with limited internal cybersecurity expertise.

Fake file converters on the rise

Since February, a surge in attacks using fake online file converters has been observed targeting users seeking free tools to convert documents. These sites often mimic legitimate services, using HTTPS and professional branding to appear trustworthy. Once users interact—by uploading or downloading files—they unknowingly trigger the installation of ransomware, credential stealers, or remote-access trojans (RATs). This aligns with a March alert from the FBI warning about the increased use of SEO poisoning and malvertising to promote malicious websites.

Scammers behind these campaigns use search engine optimization and paid ads to push their fake tools to the top of search results. Even cautious users may trust these sites due to their placement and appearance. Two such domains, docu-flex[.]com and pdfixers[.]com, were recently identified and taken down after distributing malware bundled with real PDF editing software. These threats are particularly damaging for SMBs that lack strong backups or response plans, and they present serious risks to MSPs if credentials or access to management platforms are compromised.

What this means for MSPs

MSPs must combine technical defenses with user training to mitigate threats from SEO-driven malware sites. Web filtering and EDR tools are essential, but users also need to understand that HTTPS does not equal safe, and high search rankings can be manipulated. Clients should be trained to verify URLs and avoid unfamiliar conversion tools. Regularly tested backups and updated incident-response plans are critical for fast recovery in ransomware cases. MSPs should continue reviewing and adapting their response strategies as attacker tactics evolve.

Top vulnerabilities in March 2025

CVE-2024-55591

CVE-2024-55591 is a critical authentication bypass vulnerability in Fortinet's FortiOS (versions 7.0.0 through 7.0.16) and FortiProxy (versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12) that allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. This vulnerability has been actively exploited in the wild, enabling attackers to create unauthorized administrative accounts and modify system configurations. Fortinet has released patches to address this issue and recommends that affected users upgrade to the latest versions immediately. The CRU has observed this vulnerability being exploited for initial access.

CVE-2025-24985

CVE-2025-24985 is a high-severity vulnerability in the Windows Fast FAT File System Driver that allows unauthorized local attackers to execute arbitrary code due to an integer overflow when a user is tricked into mounting a specially crafted VHD file. This flaw has been actively exploited in the wild, and Microsoft released patches to address this vulnerability on March’s Patch Tuesday.

CVE-2025-24993

CVE-2025-24993 is a heap-based buffer overflow vulnerability in the Windows NTFS file system that allows unauthorized local attackers to execute arbitrary code with system-level privileges. This flaw has been actively exploited in the wild, requires mounting a VHD file, and was also included in March’s Patch Tuesday.

CVE-2025-24991

CVE-2025-24991 is an out-of-bounds read vulnerability in the Windows NTFS file system that allows authorized local attackers to disclose sensitive information. This vulnerability was another patch in March’s Patch Tuesday that had previously been exploited in the wild. It can be used to gain information about a system used for other exploits.

CVE-2025-24984

CVE-2025-24984 is an information disclosure vulnerability in the Windows NTFS file system, where sensitive information is improperly inserted into log files, potentially allowing unauthorized attackers with physical access to disclose sensitive data. This vulnerability has been actively exploited and was addressed in March’s Patch Tuesday.

Top malware

The Diamond Model

This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities. This structured approach enhances situational awareness, supports attribution efforts, and facilitates more effective defensive strategies against evolving threats.

HijackLoader

HijackLoader is a modular malware loader first identified in 2023, designed to deliver various payloads such as information stealers and remote access trojans. It employs advanced evasion techniques, including call stack spoofing to obscure the origin of function calls and virtual machine detection to identify analysis environments. In March 2025, we saw HijackLoader incorporate new modules to enhance its stealth capabilities, notably implementing call stack spoofing and anti-virtual machine checks.

Adversary

  • Aliases: DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER, win.hijackloader
  • Last used by: Supply chain attack targeting auto dealerships and deploying RedLine Stealer, Multiple attacks delivering SecTopRat

Infrastructure

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-IOCs-Infrastructure-1.png

Victimology

  • Recently targeted business sectors: Healthcare, IT services, entertainment, retail, auto dealerships, nonprofit organizations

Capabilities

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-MITRE ATT&CK-Capabilities-1.png

RedLine Stealer

RedLine Stealer is a .NET-based information-stealing malware first identified in early 2020, designed to extract sensitive data such as login credentials, browser cookies, credit card information, and cryptocurrency wallets from infected systems. It is commonly distributed through phishing campaigns, malicious advertisements, and disguised software downloads. In March 2025, cybersecurity researchers observed a surge in RedLine Stealer infections, with threat actors employing deceptive tactics such as masquerading the malware as legitimate software installers to entice users into executing the malicious payload. This uptick highlights the malware’s persistent evolution and the continuous need for robust cybersecurity measures to mitigate such threats.

Adversary

  • Aliases: RECORDSTEALER, Redline Infostealer
  • Last used by: Auto dealership supply chain attack where Redline Stealer was loaded by HijackLoader

Infrastructure

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-IOCs-Infrastructure-2.png

Victimology

  • Recently targeted business sectors: Healthcare, IT services, financial services, retail, auto dealerships

Capabilities

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-MITRE ATT&CK-Capabilities-2.png

Emmenhtal

Emmenhtal is a stealthy malware loader first identified in 2024, used to distribute commodity infostealers, such as Lumma and CryptBot. It typically spreads via phishing campaigns or compromised websites, often using HTA files and disguised shortcuts. In March 2025, the CRU observed Emmenhtal being used to load Lumma Stealer and and Rhadamanthys.

Adversary

  • Aliases: IDATDropper, PEAKLIST
  • Last used by: ClickFix campaign delivering Lumma Stealer via Emmenhtal

Infrastructure

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-IOCs-Infrastructure-3.png

Victimology

  • Recently targeted business sectors: Healthcare, IT services, advertising, food and beverage, construction

Capabilities

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-MITRE ATT&CK-Capabilities-3.png

Akira

Akira is a ransomware-as-a-service (RaaS) group that emerged in March 2023, targeting organizations across North America, Europe, and Australia. By January 2024, Akira had compromised over 250 entities, amassing approximately $42 million in ransom payments. The group employs double extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to publish the information on their dark web leak site if ransoms are unpaid. In March 2025, Akira continued its aggressive operations, with reports indicating a significant number of attacks during that period. The group has been known to exploit vulnerabilities in VPN services and leverage compromised credentials to gain initial access, underscoring the importance of robust cybersecurity measures.

Adversary

  • Aliases: N/A
  • Last used by: N/A

Infrastructure

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-IOCs-Infrastructure-4.png

Victimology

  • Recently targeted business sectors: Manufacturing, food and beverage, automotive

Capabilities

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-MITRE ATT&CK-Capabilities-4.png

Lumma

Lumma Stealer is a rapidly evolving information-stealing malware written in C, sold as malware-as-a-service (MaaS) on cybercrime forums. It targets credentials, cookies, crypto wallets, and system information, with support for evasion techniques such as string obfuscation and encrypted C2 communication. Known for its modularity and frequent updates, Lumma is commonly distributed via phishing emails, drive-by downloads, and loaders like Emmenhtal.

Adversary

  • Aliases: Lumma Stealer
  • Last used by: ClickFix campaign delivering Lumma Stealer via Emmenhtal

Infrastructure

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-IOCs-Infrastructure-5.png

Victimology

  • Recently targeted business sectors: Hospitality, shipping, healthcare, IT services, property management

Capabilities

DMDG-2132-Threat-Report-Monthly-SME-Blog-March-2025-MITRE ATT&CK-Capabilities-5.png

Related Blog Posts

<< Back to All Blog Posts
03/20/2025
9 min read
Monthly Threat Brief: February 2025
By: Bryson Medlock
Explore the new edition of our Monthly Threat Brief blog series to learn more about the MSP cyberthreat landscape in February 2025.
Read the blog
security general icon
Cybersecurity
03/10/2025
9 min read
How to prevent ransomware: Mitigation strategies for MSPs
By: Jim Peterson
While it’s not possible to prevent ransomware attacks, we can significantly reduce the potential and impact of a ransomware event. Learn essential detection and mitigation techniques.
Read the blog
security general icon
Cybersecurity
03/07/2025
10 min read
EDR vs. SIEM: How they differ and why you need both
By: Jim Peterson
EDR and SIEM software shouldn’t be an “either or” scenario. Learn why you need both of these powerful tools to help your clients.
Read the blog
security general icon
Cybersecurity

Recommended