SourceForge Office Malware, Kellogg Clop Breach, Seattle Port Ransomware – Cybersecurity News [April 07, 2025]
From crypto-mining malware hiding in Office tools to ransomware attacks shaking up ports and pension funds, this week’s cybersecurity bulletin has it all. Whether you use WhatsApp on Windows or manage your retirement savings online, these incidents are a reminder of how quickly threats evolve—and how easy it is to become a target.
Malicious Microsoft Office Add-ins Distributed Through SourceForge
Threat actors have been using SourceForge to spread fake Microsoft Office add-ins that install malware on victims’ systems with the goal to steal and mine cryptocurrency by hijacking their system resources.
SourceForge is a well-known platform for hosting and sharing open-source software with an open model allows anyone to publish projects, which can sometimes be misused. Of course, such abuse is uncommon, but Kaspersky recently discovered a malicious campaign using the site to deliver malware. The fake project, called “officepackage,” mimicked a real Microsoft tool and was made to look genuine. It showed up in search results for Office add-ins and was linked to a site hosted through SourceForge’s web hosting feature.
However, the download button led to a password-protected ZIP file with a large MSI installer designed to dodge antivirus scans. Once launched, the installer deployed scripts that checked for security software, created persistence through registry changes, and installed tools like Netcat and AutoIT. These helped run a crypto miner and a clipper to hijack wallet addresses. The attacker also used Telegram to send stolen data and deliver more malware if needed.
The best way to avoid such attacks is to always download tools from official or verified sources. Avoid third-party websites, and make sure your antivirus software is active and up to date.
WK Kellogg Reports Data Breach Tied to Clop Ransomware
Food manufacturer WK Kellogg Co has confirmed that sensitive employee and vendor data was compromised during the widespread Cleo data theft attacks in late 2024.
They learned of the incident in February 2025 and immediately launched an investigation, contacting Cleo. There was unauthorized access to the organization’s file transfer servers on 7 December 2024. Said servers were used to transfer employee data to human resources vendors, and the threat actors made away with personal data including names and SSNs (Social Security Numbers).
The flaws exploited in the attack (CVE-2024-50623 and CVE-2024-55956) allowed the attackers to breach Cleo’s systems and steal information. Although they did not directly name the Clop ransomware group, the timeline aligns with Clop’s known activity. Moreover, WK Kellogg, which separated from Kellogg’s in 2023, earns $2.7 billion annually and was recently listed on Clop’s extortion site.
All the affected individuals were offered one year of free identity monitoring and fraud protection from Kroll so you can claim it if you were affected. As an added measure, you should monitor financial accounts, place fraud alerts, and freeze credit files to prevent misuse.
Ransomware Attack on Port of Seattle Affects 90,000 Individuals
The Port of Seattle is notifying around 90,000 people after a ransomware attack in August 2024 led to the theft of sensitive personal data. The breach affected key systems at Seattle-Tacoma International Airport and other services under the Port’s management.
The attack, attributed to the Rhysida ransomware group, disrupted reservation systems, display boards, the Port website, and the flySEA app. Flights were delayed, and most normal operations were affected. The Port confirmed Rhysida’s involvement three weeks after the incident and decided not to pay the ransom, despite threats that stolen data would be leaked. The stolen data includes combinations of names, birth dates, SSNs (or parts of them), driver’s license details, and some medical information. The breach impacted employee, contractor, and parking data, and the Port clarified that it holds little data on passengers and that payment systems were not compromised.
On 3 April 2025, the agency began sending out letters to those impacted and they have highlighted those operations with airlines, cruise lines, and federal agencies remained unaffected. If you were notified, look out for suspicious account activity and try placing fraud alerts.
Australian Pension Funds Targeted in Credential Stuffing Surge
Over the weekend, several major Australian superannuation funds were hit by a wave of credential-stuffing attacks.
Hackers used stolen login credentials to access member accounts, leaving thousands of people at risk and some facing financial losses. According to the ASFA (Association of Superannuation Funds of Australia), a number of accounts were breached, though most attacks were blocked.
Major funds like AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial confirmed the breaches. AustralianSuper also reported that at least 600 member accounts were accessed using stolen passwords and then locked the accounts quickly, informing the members. On the other hand, REST shut down its MemberAccess portal after detecting suspicious activity and said around 8,000 users had basic details exposed, though no funds were stolen.
Hostplus also confirmed no financial loss, but Insignia Financial’s Expand Platform saw around 100 accounts accessed through automated tools. Investigators haven’t found signs of fraud, though. HESTA and Mercer Super confirmed they were not impacted.
ASFA has launched a hotline and a security toolkit under its Financial Crime Protection Initiative to boost coordination across the sector. If you wish to stay protected against such attacks, do not reuse passwords, enable multi-factor authentication, and keep your devices and apps up to date.
Poisonseed Phishing Campaign Linked to Emails Containing Wallet Seed Phrases
There’s also a new phishing campaign called ‘PoisonSeed,’ targeting users of popular cryptocurrency platforms like Coinbase and Ledger.
The threat actors are using compromised corporate email marketing accounts to send fake emails that include malicious wallet seed phrases. According to SilentPush, the campaign operates by first identifying people who manage or have access to CRM and bulk email tools. These individuals are then tricked into clicking on phishing emails sent from spoofed addresses, leading to fake login pages designed to steal credentials.
Once they gain access, the threat actors export mailing lists and create new API keys to maintain control over the account. They then use these compromised accounts—from platforms like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho to send crypto-themed phishing emails, stating that the platform is moving to self-custodial wallets. The email includes a wallet seed phrase and instructs users to enter it into a new wallet. But when people transfer their crypto into it, they lose access and the funds are stolen.
Legitimate platforms do not send seed phrases so always log in directly through the official website to verify any alert or request. Do keep an eye out for phishing emails and never click on unsolicited links.