The Indicator — Weekly Threat Intelligence

Weekly Threat Intel
May 18–24, 2026

Published May 24, 2026 | Based on 28 IOC reports | TLP: CLEAR
28 Reports analyzed
1,800+ IOCs extracted
2,300 LummaC2 domains seized
1.7M Kettering Health patients affected
16 DanaBot defendants charged
Key Takeaways for Security Professionals
  • Hunt for LummaC2 persistence on any Windows host that downloaded software, clicked a CAPTCHA, or visited a software cracking site in the past 18 months — infrastructure was disrupted but not all infections were remediated. Microsoft’s Digital Crimes Unit seized 2,300 C2 domains on May 21, and the FBI assessed at least 1.7 million credential-theft instances. Lumma harvests browser credentials, session cookies, and crypto wallet seeds in seconds; the seized infrastructure breaks current C2 connectivity, but existing implants on hosts that haven’t been reimaged may reconnect once operators rebuild. Hunt for Lumma’s characteristic staging directories, the sqlite3.dll sideloading pattern, and outbound connections to freshly-registered domains. Treat any credentials stored in browsers on exposed machines as compromised and rotate them.
  • Patch Ivanti EPMM immediately for CVE-2025-4427 and CVE-2025-4428 — the chained authentication bypass plus RCE is under active exploitation by China-nexus UNC5221, and PoCs are publicly available. CVE-2025-4427 removes the authentication requirement for certain API routes; CVE-2025-4428 delivers arbitrary Java code execution via Expression Language injection in the /api/v2/featureusage endpoint. Together they provide unauthenticated RCE against internet-facing EPMM servers. Post-exploitation behavior includes KrustyLoader deployment, Sliver C2 framework staging from public AWS S3 buckets, and web shells at paths mimicking HTTP error pages. If you cannot patch immediately, take EPMM off the internet and hunt for web shells in paths like /error/404.jsp or similar disguised locations.
  • Verify your help desk cannot be socially engineered into resetting credentials or bypassing MFA for unverified callers — Scattered Spider/DragonForce has now disrupted five major UK organizations using this single technique. M&S, Co-op, Harrods, and now UK cold-chain logistics provider Peter Green Chilled all fell to the same initial access vector: vishing calls impersonating employees to manipulate help desk agents. The DragonForce encryptor then targets VMware ESXi hosts for mass VM encryption. Test your help desk with red-team social engineering exercises, implement callback verification to employee-of-record phone numbers, and enforce hardware MFA tokens that cannot be transferred to attackers even with credentials.
  • If your organization uses or integrates with DanaBot-affected systems, treat credentials from the past two years as potentially compromised — DanaBot’s espionage module specifically targeted military, diplomatic, and law enforcement personnel beyond the financial fraud track. The DOJ charged 16 defendants and disrupted DanaBot infrastructure that had infected 300,000 computers and maintained ~1,000 daily new victims. The discovery of a parallel espionage module targeting high-value government and defense targets (distinct from the criminal financial fraud operation) indicates the botnet was dual-use. Organizations in these sectors should conduct credential hygiene reviews and look for anomalous authentication events during the botnet’s active period.
  • Extend your dwell-time detection program to cover the 30–45 day window between initial access and ransomware detonation, not just the hours preceding encryption. The Interlock ransomware group established initial access at Kettering Health on April 9 and detonated 41 days later on May 20. By detonation, they had already exfiltrated 941 GB affecting 1.7 million patients. Pre-detonation behavioral signals — unusual lateral movement, large internal file transfers, privileged account access from new hosts, staging tool downloads — are consistently present in this dwell-time window and consistently missed by organizations focusing detection resources on the encryption event itself.
  • Organizations in Western logistics, defense, and technology sectors should treat APT28 (GRU Unit 26165) as an active targeted threat and immediately audit VPN access logs, enforce phishing-resistant MFA, and hunt for unauthorized mailbox permission modifications. A 21-agency joint advisory confirmed APT28 has been conducting sustained espionage against entities coordinating aid to Ukraine since at least early 2022. TTPs include password spraying via rotating infrastructure, spearphishing, mailbox rule manipulation for persistent email access, and SQL injection against VPN appliances. The campaign is intelligence-gathering focused — specifically targeting what is being shipped to Ukraine, by whom — making supply chain and logistics firms higher-risk targets than typical enterprise environments.
  • Coinbase customers should assume their personal information — including government ID scans — is in adversary hands and take immediate steps against identity fraud and targeted vishing. Threat actors bribed overseas support contractors to steal data on approximately 97,000 users, then demanded $20M in Bitcoin. The stolen dataset includes driver’s license and passport images, masked SSNs, account balance snapshots, and transaction histories — sufficient for targeted impersonation attacks. Coinbase refused the extortion demand and posted a counter-bounty. Affected users should place fraud alerts with credit bureaus, be alert to Coinbase impersonation calls, and not act on unsolicited outreach asking them to move funds “for security reasons.”
Contents
  1. LummaC2 Global Takedown: 2,300 Domains Seized, 1.7M Credential Thefts Disrupted
  2. Ivanti EPMM Chained RCE (CVE-2025-4427 + CVE-2025-4428) Under Active Exploitation
  3. Cybercrime: DanaBot Disrupted, Kettering Health, Coinbase Extortion
  4. Nation-State: APT28 Logistics Espionage, Scattered Spider UK Retail Rampage
  5. Also This Week
The week of May 18–24 was defined by two converging storylines: simultaneous law enforcement action against multiple criminal infrastructure pillars, and active nation-state and ransomware exploitation campaigns targeting sectors that had not yet internalized the risk. Operation Endgame Phase 2 seized 2,300 LummaC2 C2 domains and dismantled the DanaBot botnet in coordinated actions on May 21–22, while a joint advisory from 21 agencies confirmed sustained APT28 espionage against Western logistics organizations supplying Ukraine. Ivanti EPMM customers faced a chained authentication-bypass-plus-RCE under active exploitation by China-nexus UNC5221 — with public PoCs accelerating the attack surface — and Interlock ransomware encrypted Kettering Health 41 days after establishing initial access, exposing 1.7 million patients. Scattered Spider’s UK retail campaign continued expanding with the disruption of cold-chain logistics provider Peter Green Chilled, affecting supply lines to almost every major British supermarket.
01 — TOP STORY

LummaC2 Global Takedown: 2,300 Domains Seized, 1.7M Credential Thefts Disrupted

On May 21, 2026, a coordinated international law enforcement and private sector operation dealt the most significant blow to the LummaC2 (Lumma Stealer) Malware-as-a-Service ecosystem to date. The DOJ seized five C2 panel domains used by operators and affiliates as login portals; Microsoft’s Digital Crimes Unit executed a court order from the Northern District of Georgia seizing and blocking approximately 2,300 malicious domains forming Lumma’s C2 backbone; and Europol’s EC3 and Japan’s JC3 coordinated regional infrastructure suspension across allied jurisdictions.

Operation Endgame Phase 2 — LummaC2 / CISA AA25-141B

Scale, Infrastructure, and What the Takedown Does and Doesn’t Fix

The FBI assessed LummaC2 had executed at least 1.7 million instances of credential theft since the platform became active in 2022. Between March 16 and May 16, 2025 alone, Microsoft identified over 394,000 Windows computers globally infected with Lumma. The stealer-as-a-service model leases access to affiliates on a subscription basis, meaning dozens of distinct threat actors — ranging from ransomware initial access brokers to nation-state-adjacent groups — were actively using Lumma infrastructure at the time of the takedown. The seized domains served as affiliate panel login pages; the 2,300 C2 domains handled beacon traffic from infected hosts. CISA Advisory AA25-141B documented Lumma’s full delivery methodology: phishing, fake software downloads, malvertising, and fake CAPTCHA pages (“ClickFix” lure pages), with post-infection behavior covering browser credential harvesting, crypto wallet exfiltration, session cookie theft, and sensitive document collection. The takedown disrupts current C2 connectivity for existing infections but does not remove implants from compromised hosts; operators are expected to rebuild infrastructure, as MaaS groups have done consistently after prior law enforcement actions.

2,300 C2 domains seized — 394K Windows PCs infected (Mar–May 2025) · 5 affiliate panel domains seized by DOJ · MITRE: TA0001, TA0005, TA0007, TA0009, TA0010, TA0011
Operation Endgame Phase 2 — Parallel Infrastructure Seizures

QakBot, Bumblebee, Hijackloader, Warmcookie: 300 Servers, 650 Domains Seized Concurrently

Bundled in the same week’s Operation Endgame activity, law enforcement seized an additional 300 servers and 650 domains supporting QakBot, Bumblebee, Hijackloader, and Warmcookie malware infrastructure. These loaders collectively represent a significant portion of the ransomware initial access ecosystem — each serves as a delivery mechanism for second-stage payloads including ransomware, data exfiltration tooling, and remote access frameworks. The concurrent takedown of LummaC2 and multiple loader ecosystems in a single operational week represents an unusual concentration of law enforcement pressure on the upstream layers of the cybercriminal supply chain. The disruption is meaningful but temporary: the operators behind these platforms have demonstrated repeated reconstitution capability after prior Endgame actions and similar operations.

300 servers, 650 domains seized · Affected: QakBot, Bumblebee, Hijackloader, Warmcookie · Initial access broker ecosystem

The credential downstream problem: LummaC2’s operational significance extends well beyond the infections themselves. Lumma-harvested credentials are systematically sold through underground markets and used by downstream operators — most notably ransomware affiliates — for network initial access. The 1.7 million credential theft assessments represent a pipeline that fed ransomware campaigns across multiple groups. The takedown disrupts the C2 infrastructure but does not invalidate the credentials already harvested and sold. Organizations whose users may have been infected — particularly those running software from unofficial sources, clicking on malvertised search results, or interacting with fake CAPTCHA pages — should treat browser-stored credentials as potentially compromised regardless of whether their EDR detected the infection. Lumma specifically avoids leaving persistent mechanisms, making detection at infection time difficult and making credential rotation the more reliable remediation than hunting for the implant itself.

02 — VULNERABILITIES & ACTIVE EXPLOITATION

Ivanti EPMM Chained RCE (CVE-2025-4427 + CVE-2025-4428) Under Active Exploitation

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on May 13. By May 15–20, following PoC releases from watchTowr and ProjectDiscovery, CISA added both CVEs to the Known Exploited Vulnerabilities catalog and EclecticIQ attributed active exploitation to China-nexus espionage group UNC5221.

CVE-2025-4427 + CVE-2025-4428 — Ivanti EPMM — UNC5221 — KEV

Auth Bypass + EL Injection: Unauthenticated RCE in Chain, Public PoC Available

CVE-2025-4427 (CVSS High) is an authentication bypass caused by misconfigured Spring Security route configuration: certain API routes — including /api/v2/featureusage — are accessible without authentication due to a pattern matching flaw. CVE-2025-4428 (CVSS Critical) delivers post-authentication RCE via Expression Language (EL) injection in the DeviceFeatureUsageReportQueryRequestValidator class, where the format parameter in the feature usage report endpoint accepts unvalidated input that is evaluated as Java EL, enabling arbitrary Java code execution. Chained together: any attacker who can reach the EPMM API endpoint over HTTPS achieves unauthenticated remote code execution. Post-exploitation activity attributed to UNC5221 included deployment of KrustyLoader (a Rust-based loader) to deliver the Sliver C2 framework, staging final payloads via publicly accessible AWS S3 buckets, and uploading web shells to paths designed to blend with legitimate HTTP error page patterns. Affected sectors include healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and Asia-Pacific.

Vulnerable endpoint: /api/v2/featureusage · Post-exploitation: KrustyLoader → Sliver C2 · Staging: public AWS S3 buckets · Attribution: UNC5221 (China-nexus)
CVE Product Impact Status
CVE-2025-4427 Ivanti EPMM Authentication bypass via Spring Security misconfiguration; /api/v2/featureusage accessible without credentials. Actively exploited — CISA KEV
CVE-2025-4428 Ivanti EPMM Post-auth EL injection in DeviceFeatureUsageReportQueryRequestValidator; arbitrary Java code execution via format parameter. Chained with CVE-2025-4427 = unauthenticated RCE. Actively exploited — CISA KEV — public PoC
CVE-2025-48927 TeleMessage (Signal clone) Unauthenticated access to archived messages; actively exploited against U.S. government users of the TeleMessage application. Actively exploited — CISA KEV

Ivanti EPMM and the pattern of MDM targeting: This is the fourth major Ivanti product vulnerability to see active exploitation by China-nexus actors in 18 months, following high-profile exploitation campaigns against Ivanti Connect Secure (ICS) and Ivanti Policy Secure. UNC5221 has been specifically linked to multiple Ivanti campaigns in this period, suggesting the group has built operational capability and tooling around Ivanti product exploitation rather than treating each campaign as a one-off. Organizations running any Ivanti product on-premises should treat the enterprise as a high-value target for this threat cluster, conduct proactive threat hunting across Ivanti infrastructure for signs of prior compromise, and evaluate whether internet-exposed MDM management interfaces represent an acceptable risk posture given the demonstrated exploitation tempo.

03 — CYBERCRIME & DATA BREACHES

DanaBot Disrupted, Kettering Health, Coinbase Extortion

Operation Endgame’s DanaBot disruption on May 22 revealed an unexpected espionage component alongside the criminal botnet infrastructure, while the Interlock ransomware group’s 41-day dwell at Kettering Health became the week’s highest-impact healthcare incident, and Coinbase disclosed a bribery-enabled data theft affecting 97,000 customers.

Operation Endgame — DanaBot — MaaS Takedown

DanaBot Disrupted, 16 Charged — Dual Criminal/Espionage Tracks Revealed

The DOJ charged 16 defendants including named Russian nationals Aleksandr Stepanov (“JimmBee”) and Artem Kalinkin (“Onix”) with operating the DanaBot Malware-as-a-Service botnet. DanaBot had infected over 300,000 computers worldwide, maintained approximately 150 active C2 servers daily, and logged approximately 1,000 daily new victims across 40+ countries for an assessed damage total of at least $50 million. Analysis of seized infrastructure revealed two distinct operational tracks: a financial fraud track conducting banking credential theft, session hijacking, and browser data exfiltration for criminal profit; and a parallel espionage track specifically targeting high-value military, diplomatic, and law enforcement personnel in North America and Europe — suggesting state nexus or state-adjacent coordination beyond purely criminal motivation. In a notable OPSEC failure, DanaBot developers infected their own machines with their malware during development, exposing their real identities through the stolen data that was subsequently recovered by investigators.

300,000 infected worldwide — $50M in damages · 150 active C2 servers daily · Defendants: Stepanov (JimmBee), Kalinkin (Onix) · Dual criminal/espionage tracks
Healthcare Ransomware — Interlock

Kettering Health: 1.69 Million Patients, 41-Day Dwell Time Before Encryption

Ohio-based Kettering Health (14 medical centers, 120+ outpatient facilities) was struck by the Interlock ransomware group on May 20. Interlock had established initial access as early as April 9 — 41 days before detonation — using the dwell time to conduct lateral movement, privilege escalation, and systematic data exfiltration. The attack forced shutdown of approximately 600 digital applications and the cancellation of all elective procedures. Before encrypting systems, Interlock exfiltrated 941 GB (732,490 files) from Epic EHR infrastructure. When ransom was refused, the data was leaked publicly. Final confirmed breach count: 1,695,382 individuals. Data types compromised included names, SSNs, financial account numbers, driver’s license numbers, medical and treatment information, health insurance data, billing and claims data, passport numbers, and credentials. Epic EHR was restored 13 days after the attack. The 41-day dwell is consistent with Interlock’s documented operational tempo in the healthcare sector; the group has demonstrated systematic long-dwell-time operations as a deliberate choice to maximize exfiltration value before encryption.

1,695,382 individuals affected — 941 GB exfiltrated · 41-day dwell time · Epic EHR targeted · 13-day recovery to Epic restoration
Insider Threat — Financial Services

Coinbase: Bribed Support Contractors Expose 97,000 Users, $20M Extortion Refused

Coinbase disclosed that threat actors had bribed overseas customer support contractors (primarily based in India) to steal customer data from internal systems over an extended period. The attackers subsequently demanded $20 million in Bitcoin to suppress publication of the stolen data. Coinbase refused to pay and instead announced a $20 million bounty for information leading to the perpetrators’ identification and arrest. Data compromised for approximately 97,000 affected users included full names, addresses, phone numbers, and email addresses; masked SSNs (last 4 digits) and masked bank account numbers; government ID images including driver’s license and passport scans; account balance snapshots; and transaction history. Private keys and passwords were not compromised. The stolen dataset is immediately operational for targeted vishing campaigns impersonating Coinbase support — a tactic already confirmed to be in use, with victims being convinced to transfer funds to attacker-controlled wallets under the guise of “security procedures.” Government ID images in adversary hands additionally enable identity fraud applications with utility well beyond cryptocurrency theft.

97,000 customers affected — $20M extortion demand refused · $20M counter-bounty posted · Government ID scans compromised · Active vishing campaigns confirmed

The DanaBot espionage module changes the threat picture for government and defense organizations. DanaBot was widely understood as a financial crime platform — banking trojans, credential theft, fraud. The discovery that a parallel module specifically targeted military, diplomatic, and law enforcement personnel rewrites that assessment. Organizations that dismissed DanaBot as “a financial malware problem, not our concern” should revisit that conclusion. The dual-use architecture — financially motivated criminal track and state-adjacent espionage track operating simultaneously — is a pattern seen in other Russian-affiliated platforms and reflects deliberate operational compartmentalization. Government and defense sector SOC teams should now include DanaBot in their threat model alongside APT malware and conduct historical log review for DanaBot indicators across the platform’s operational period.

04 — NATION-STATE ACTIVITY

APT28 Logistics Espionage, Scattered Spider UK Retail Rampage

Russia — APT28 — GRU Unit 26165

21-Agency Advisory: APT28 Targeting Western Logistics and Tech Firms Supplying Ukraine

CISA, the UK NCSC, and counterparts from 21 allied agencies across 11 nations issued a joint advisory confirming sustained APT28 (GRU Unit 26165/Fancy Bear) espionage against Western logistics entities and technology companies coordinating foreign aid and military support to Ukraine. The campaign has been active since at least early 2022. Targeted organizations include logistics companies, defense contractors, transportation firms, and technology providers in the U.S., Europe, and NATO-aligned countries handling Ukraine-bound cargo. Documented TTPs include password spraying via anonymized, rotating-IP infrastructure with TLS encryption to evade detection; spearphishing for credential harvesting; mailbox permission modification for persistent email access without additional login events; SQL injection against corporate VPN and public-facing infrastructure; and abuse of known CVEs in VPN appliances for initial access. The advisory’s framing of the campaign’s objective — targeting intelligence about what is being shipped to Ukraine, by whom, and via which routes — makes supply chain visibility and logistics coordination organizations higher-risk targets than the advisory’s sector list might suggest in isolation. Any organization with visibility into Ukraine-bound cargo movement should treat this advisory as directly applicable.

Attribution: APT28 / GRU Unit 26165 · Active since early 2022 · 21-agency advisory · TTPs: password spray, spearphish, mailbox rule modification, VPN CVE exploitation
Scattered Spider — DragonForce — UK Retail

UK Cold-Chain Logistics: Peter Green Chilled Ransomware Attack Disrupts Nine Supermarket Chains

The week of May 18–24 brought continued fallout from the UK retail sector campaign attributed to actors associated with Scattered Spider using the DragonForce ransomware encryptor. Cold-chain logistics provider Peter Green Chilled — which supplies refrigerated goods to Tesco, Sainsbury’s, M&S, Waitrose, Aldi, Asda, Co-op, Ocado, and Morrisons — was hit with ransomware on May 20, disrupting refrigerated goods supply chains across virtually the entire UK major supermarket sector simultaneously. The attack follows the same initial access methodology as the preceding M&S (£300M+ profit impact), Co-op (6.5M customer records, £206M revenue loss), and Harrods (430,000+ customer records) incidents: social engineering and vishing calls to help desks impersonating employees to manipulate agents into credential resets or MFA bypass. The DragonForce encryptor then targets VMware ESXi hosts for mass VM encryption, followed by double extortion: exfiltrate, then encrypt. The targeting of a logistics supplier rather than a retailer directly demonstrates that Scattered Spider’s UK campaign has moved from targeting high-profile brands to targeting their critical infrastructure dependencies.

Initial access: help desk vishing · Encryptor: DragonForce (VMware ESXi targeting) · Affected retailers: Tesco, Sainsbury’s, M&S, Waitrose, Aldi, Asda, Co-op, Ocado, Morrisons
Russia — Criminal Infrastructure Takedown

Operation Saffron: First VPN Dismantled — 33 Servers, Ukrainian Admin Arrested

An 18-country law enforcement operation (“Operation Saffron”) coordinated by France and the Netherlands, with Europol and Eurojust support, dismantled First VPN (1vpns.com) — a criminal-use VPN service active since approximately 2014 offering exit nodes in 27 countries. The operation seized 33 servers, took down primary domains, and arrested the Ukrainian administrator following a house search. Europol stated First VPN “appeared in almost every major cybercrime investigation” in recent years and was reportedly used by at least 25 ransomware groups for network reconnaissance, intrusion, and post-exploitation anonymization. Criminal-use VPN services occupy a specific role in ransomware operations as anonymization infrastructure distinct from the malware or exploitation tooling; their disruption raises operational costs and exposure risk for affiliates without directly disrupting the ransomware platform itself. Combined with the Lumma and DanaBot takedowns the same week, Operation Saffron represents concurrent pressure across multiple layers of the criminal infrastructure stack.

33 servers seized — 27-country exit node network · Used by ~25 ransomware groups · Ukrainian administrator arrested

Scattered Spider’s UK campaign is a supply chain attack on the retail sector, not just a series of individual retailer breaches. The targeting of Peter Green Chilled — invisible to consumers but central to the cold-chain logistics of nine major supermarket chains — demonstrates that the campaign has moved from brand-name targets to critical infrastructure dependencies. An attacker who successfully disrupts cold-chain logistics causes consumer-visible impact (empty shelves, spoiled goods) without needing to directly breach any of the household-name retailers. The implication for sector-wide defense is that supply chain risk assessments and third-party security reviews need to extend to logistics and operational infrastructure providers, not just technology vendors. A vishing-based help desk compromise at a logistics provider can have sector-wide economic impact that rivals a direct breach of a major retailer.

05 — ALSO THIS WEEK

Also Worth Tracking

Infostealer — ClickFix

ClickFix Fake CAPTCHA Lures: Primary LummaC2 Delivery Vector, Still Active Post-Takedown

CISA’s AA25-141B advisory documented ClickFix fake CAPTCHA pages as one of LummaC2’s primary delivery mechanisms — a lure type that has seen substantial reuse by other stealer families and that will persist beyond the LummaC2 infrastructure takedown. ClickFix pages present a fake “browser verification” or “Cloudflare check” that instructs users to paste a command into a Windows Run dialog or PowerShell prompt. The technique bypasses email security entirely by hosting payloads on legitimate infrastructure and requiring user action that is not intercepted by browser security extensions. Security awareness training should specifically cover this lure type; detection should include monitoring for PowerShell or cmd.exe processes launched from browser processes and for execution of base64-decoded commands from user input contexts.

Detection: PowerShell/cmd.exe child processes of browser; base64-decoded user-input execution · Reused by: Rhadamanthys, Vidar, other stealers
Cryptocurrency — Social Engineering

Coinbase Vishing Campaign: Active Post-Breach, Targeting Asset Transfer

Following the Coinbase data breach disclosure, threat actors are conducting active vishing campaigns using the stolen dataset to impersonate Coinbase support and convince victims to transfer cryptocurrency to “secure wallets.” The call script exploits recipient knowledge of their own account details — balance, recent transaction history, last four of SSN — to establish credibility before directing fund transfers. Legitimate cryptocurrency exchanges do not initiate outbound calls asking users to move funds; any unsolicited call referencing account security and requesting wallet transfers should be treated as fraud regardless of how many accurate personal details the caller presents. Users in the affected Coinbase data population (approximately 97,000) should be briefed specifically on this threat pattern.

Lure: Coinbase support impersonation using stolen account details · Goal: user-initiated transfer to attacker wallet · Defense: exchange never calls asking to move funds
Healthcare — Ransomware

Interlock Ransomware: Healthcare Sector Pattern, Long-Dwell Exfiltration Before Encryption

The Kettering Health incident establishes Interlock’s operational pattern clearly enough to inform defensive posture. The group consistently achieves initial access 30–45 days before encryption, uses the dwell time for systematic privilege escalation and data staging, and exfiltrates large volumes of PII-rich healthcare records before triggering the encryptor. Detection at the encryption event is therefore 41 days too late. Healthcare organizations should treat any new host connecting to Epic EHR infrastructure from an IP not in the management baseline, any large internal file copy operation, and any new privileged account creation as pre-ransomware signals requiring immediate investigation. The 941 GB exfiltration at Kettering would have generated detectable network traffic if outbound data transfer monitoring was in place — that monitoring gap is the most tractable defensive improvement in this threat scenario.

Interlock TTPs: 30–45 day dwell · Epic EHR targeting · Large-volume staged exfiltration before encryption · Healthcare sector focus
Law Enforcement — Operational Tempo

Three Concurrent Takedowns in One Week: LummaC2, DanaBot, First VPN

The coincidence of the LummaC2 infrastructure seizure, DanaBot disruption and indictment, and First VPN takedown in the same operational week is unlikely to be coincidental — the operational coordination required for simultaneous multi-country actions across three distinct criminal platforms in a single week reflects significant sustained inter-agency coordination. The practical message for defenders is that the criminal infrastructure disruptions are meaningful but temporary. Historically, MaaS operators have reconstituted within weeks to months. The window between takedown and reconstitution — when implants exist on hosts but cannot reach C2 — is an opportunity for organizations to identify and remediate infections before operators reestablish connectivity. This window is narrow; organizations should act on it now.

Takedown window opportunity: existing implants cannot reach C2 · Expected reconstitution: weeks to months based on prior Endgame history

Analyst Assessment: May 18–24 in Context

The LummaC2 takedown is the most significant single-week disruption to the ransomware initial access ecosystem in years, but its impact depends entirely on what defenders do in the next few weeks. The 2,300 domain seizure breaks current C2 connectivity for Lumma implants on infected hosts. Operators will rebuild. The window between takedown and reconstitution — where implants are dormant on infected systems — is the optimal time for organizations to hunt and remediate. Lumma specifically harvests credentials without leaving persistent mechanisms, so the hunting objective is identifying systems that may have communicated with Lumma infrastructure rather than finding running malware. The CISA advisory IOCs, combined with DNS telemetry from the seized domain list, provide the hunting starting point. Organizations that use this window will come out ahead; those that wait for reconstituted infrastructure to resume beaconing will face the same problem again.

The APT28 advisory and Ivanti EPMM exploitation together define the week’s most urgent unresolved threats for enterprise defenders. APT28’s sustained logistics espionage campaign has been running for over three years and remains active; the advisory is not describing a historical campaign but an ongoing one. Ivanti EPMM exploitation by UNC5221 has public PoCs and CISA KEV additions — the remediation window is measured in hours for internet-facing deployments. These are not “watch this space” items; they are active campaigns requiring immediate operational response from organizations in scope.

Scattered Spider’s progression from retail brands to retail logistics infrastructure marks a strategic evolution in the campaign’s ambition. Targeting a cold-chain logistics provider rather than a retailer directly achieves broader economic disruption — affecting nine supermarket chains simultaneously — while targeting an organization with less visible public profile and potentially less mature incident response capability. Security teams in the retail sector should extend their threat model to cover logistics and supply chain dependencies as first-class targets, not just technology vendors.

What to do this week: (1) Hunt for LummaC2 indicators using CISA AA25-141B IOCs; rotate all browser-stored credentials on any potentially exposed hosts. (2) Patch Ivanti EPMM for CVE-2025-4427 and CVE-2025-4428 immediately; if patching is delayed, take the server offline and hunt for KrustyLoader and Sliver artifacts. (3) Test help desk social engineering procedures against vishing attacks; implement callback verification to known employee phone numbers before any credential reset or MFA bypass. (4) For healthcare organizations: implement outbound data transfer monitoring and establish Epic EHR management IP baselines; treat new privileged accounts and large internal transfers as pre-ransomware signals. (5) Review VPN access logs for password spraying patterns consistent with APT28 TTPs if your organization has any role in logistics, defense, or technology supporting Ukraine-bound activity.

Sources

  1. CISAAA25-141B: LummaC2 Malware Advisory
  2. DOJJustice Department Seizes Domains Behind Major Information-Stealing Malware Operation
  3. Microsoft On the IssuesMicrosoft Leads Global Action Against Favored Cybercrime Tool
  4. BleepingComputerLumma Infostealer Malware Operation Disrupted, 2,300 Domains Seized
  5. The Hacker NewsUS Dismantles DanaBot Malware Network, Charges 16 Russian Nationals
  6. Help Net SecurityOperation Endgame: DanaBot Botnet Disrupted, QakBot Leader Indicted
  7. Wiz ResearchIvanti EPMM RCE Vulnerability Chain: CVE-2025-4427 and CVE-2025-4428
  8. EclecticIQChina-Nexus Threat Actor Actively Exploiting Ivanti EPMM CVE-2025-4428
  9. CISA / QualysCISA Warns of Ivanti EPMM Unauthenticated RCE Vulnerabilities
  10. CISA / 21-Agency Joint AdvisoryRussian GRU Targeting Western Logistics Entities and Technology Companies
  11. CyberScoopRussian APT28 Cyberattacks Target Western Logistics Supporting Ukraine
  12. Healthcare DiveKettering Health Cyberattack: Ransomware Group Interlock Claims Responsibility
  13. HIPAA JournalKettering Health Ransomware Attack: 1.7M Affected
  14. Infosecurity MagazineDragonForce Group Behind M&S, Co-op, and Harrods Attacks
  15. CM AllianceMay 2025 Biggest Cyber Attacks, Ransomware Attacks and Data Breaches
  16. BitdefenderOperation Saffron: Bitdefender Joins First VPN Takedown
  17. HalbornExplained: The Coinbase Extortion Attack (May 2025)
  18. The Hacker NewsWeekly Recap: APT Campaigns, Browser Attacks, and Critical Infrastructure Hits

This post was generated with Claude by Anthropic, based on source reporting from the publications listed above and analysis of 28 IOC submissions to iocget.com between May 18–24, 2026.

The Indicator — iocget.com · Reports spanning May 18–24, 2026 · All IOCs TLP:CLEAR