Unit 42 Threat Bulletin - May 2025
Palo Alto Networks Unit 42
Unit 42 Threat Intelligence & Incident Response. Intelligence Driven. Response Ready.
Welcome to our May Threat Bulletin! We’ve worked hard this past month curating key articles and valuable resources that we think you'll find incredibly useful for staying ahead in cybersecurity.
We’d love to hear your thoughts. Please drop a comment below and tell us what you think!
Threat Actor Spotlight
Muddled Libra Threat Surge
What's happening: Muddled Libra is a cybercriminal group that uses shrewd social engineering methods to trick organizations into giving access to their systems. The group has expanded its attacks from tech and outsourcing companies to industries like hospitality and finance. They target help desks and employees, often convincing them to reset passwords or bypass security steps.
Impact: Their attacks can lead to theft of sensitive data, disruption of business operations and even ransom demands after encrypting important files. Muddled Libra is skilled at bypassing security, making it hard for organizations to keep them out. They have also used stolen information to attack a company’s customers or partners, causing even wider damage.
Take action: Organizations should strengthen security by using robust multifactor authentication and limiting access to only what employees need. Regular training for staff — especially help desk teams — can help them spot and resist social engineering tricks. Monitoring for unusual activity and having a plan for responding to incidents are also key to staying protected.
Spotlight Threat: Need-to-Know Threat Actor Activity
Threat Actors Master Synthetic Identity Creation
What's happening: North Korean threat actors are using real-time deepfake technology to create synthetic identities and infiltrate organizations via remote job interviews, posing security, legal and compliance risks.
Impact: These tactics enable sanctioned actors to evade detection, secure employment, and generate revenue for North Korea, while making it harder for companies to identify fraudulent candidates.
Take action: Implement layered defenses: require live video interviews, use advanced ID verification, train staff to spot deepfake signs, monitor for suspicious activity, and coordinate HR and security efforts to strengthen hiring processes.
TTP Breakdown: Unpacking the Latest Threat Actor Tactics, Techniques and Procedures
Active Exploitation: SAP NetWeaver CVE-2025-31324
What’s happening: A critical vulnerability in SAP NetWeaver’s Visual Composer component allows anyone on the internet to upload malicious files to affected servers — no login required. Attackers are actively exploiting this flaw by sending specially crafted requests to the endpoint, letting them install web shells and gain remote control.
Impact: Successful exploitation lets attackers take full control of SAP systems, run commands as administrators, steal data and deploy additional malware. Organizations have already seen attackers use this flaw to install persistent web shells, conduct reconnaissance and move deeper into networks. The risk is especially high because attacks are happening in the wild and the flaw is easy to exploit.
Take action: Immediately apply SAP’s security updates. If your organization doesn’t use Visual Composer, disable it to reduce your attack surface. Monitor for unusual activity on SAP servers, especially unexpected file uploads or new web shells.
Get Ahead
Unit 42 Insider Threat Services help detect, deter, and disrupt malicious and accidental insider threats, leveraging our years of experience to ensure your organization remains resilient against internal risks.
Stay vigilant,
Your Unit 42 Team
Hot Research
Never miss out on new Unit 42 research. Subscribe to our Threat Research Center.