A cybersecurity alert originally released on June 5 has now been updated with fresh warnings from the FBI, highlighting an even more dangerous threat landscape. The new advisory includes not only expanded technical details about the infamous Play ransomware campaign but also introduces a troubling new cyberattack vector—BADBOX 2.0. Additionally, authorities have provided updated insights into the cybercriminal collective known as Balloonfly, believed to be deeply embedded in the Play ransomware operations.
The Federal Bureau of Investigation (FBI), in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), issued a joint cybersecurity advisory as the scale and pace of Play ransomware attacks intensified throughout May. These threat actors have left their mark on a wide array of targets, from private enterprises to critical infrastructure providers. Their attacks span continents, affecting victims in both North and South America, and extending across Europe.
The FBI has stressed the need for immediate action from organizations of all sizes. “Act now,” the advisory warns, as Play ransomware actors rapidly accelerate their operations. The advisory, part of the larger Stop Ransomware campaign, is designed to arm organizations with the most up-to-date knowledge of the attackers’ evolving tactics, techniques, and procedures (TTPs). It also provides newly identified indicators of compromise that security teams can use to enhance detection and response.
This latest advisory update comes after joint investigations carried out in 2024 by the FBI, CISA, and the Australian Cyber Security Centre. These investigations revealed that the cybercriminals behind Play ransomware have significantly refined and altered their attack methods. The scale of the threat is underscored by the FBI’s confirmation that approximately 900 organizations had been targeted by Play ransomware actors—a figure that is triple what the FBI had previously reported.
Play ransomware operates as a closed ransomware group, meaning they act independently without the involvement of affiliates. This setup, as stated in the advisory, is meant to “guarantee the secrecy of deals” made using stolen data. Interestingly, ransom notes left for victims do not outline a specific payment demand or offer instructions. Instead, they instruct victims to initiate contact through unique email addresses hosted on one of two German domains. The FBI noted that “a portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom.” These intimidation tactics are calculated to push victims directly into negotiations under immense psychological pressure.
Technical details released by the FBI offer a clearer picture of the threat landscape. Play ransomware has been linked by cybersecurity researchers to North Korea’s state-sponsored Andariel hacking group, which is part of the Reconnaissance General Bureau of the Democratic People’s Republic of Korea. One of the key distributors associated with Play ransomware is the cybercrime group Balloonfly. Analysts believe Play ransomware is a “core component” of Andariel’s digital attack strategies.
Balloonfly reportedly uses malware backdoors to compromise Windows systems. According to Symantec Threat Hunter researchers, the group has primarily targeted businesses in the U.S. and Europe. Microsoft’s Threat Intelligence Center, along with the Microsoft Security Response Center, had previously observed Play ransomware being launched after cybercriminals exploited a zero-day vulnerability in the Windows Common Log File System. That particular vulnerability, catalogued as CVE-2025-29824, was addressed in Microsoft’s April Patch Tuesday update.
However, Play ransomware’s reach is not limited to a single flaw. Other exploited vulnerabilities include CVE-2022-41040 and CVE-2022-41082, both of which affected Microsoft Exchange Server, as well as CVE-2020-12812 and CVE-2018-13379, which targeted Fortinet’s FortiOS. While all these vulnerabilities have now been patched, the FBI strongly urges organizations to apply these patches if they haven’t done so already. It is, as the advisory says, “a matter of some critical urgency.”
Initial access to networks is often achieved through the exploitation of “external-facing services such as Remote Desktop Protocol and Virtual Private Networks,” the FBI confirmed. Once inside, Play ransomware actors deploy popular command and control tools like Cobalt Strike and SystemBC, along with remote administration tools such as PsExec. After establishing a foothold, attackers scour the compromised systems for unsecured credentials. “Once established on a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access,” the FBI stated.
Unfortunately, the Play ransomware saga isn’t the only urgent issue on the cybersecurity radar. In a separate advisory labeled I-060525-PSA, the FBI has also issued an alert concerning a disturbing new variant of cyberattacks targeting consumers. Dubbed BADBOX 2.0, this new threat involves compromised smart home devices, which are being used as part of a larger cybercriminal campaign.
The latest BADBOX 2.0 campaign demonstrates how threat actors are expanding their targets beyond corporate networks to individual consumers through internet-connected devices. Smart TVs, security cameras, routers, and other home IoT devices are being hijacked and exploited as entry points into larger systems or to build botnets. While the FBI has yet to release complete technical documentation for this new threat, it has urged all users—businesses and individuals alike—to immediately secure and update any smart devices in their environment.
Though it may seem like every day brings a fresh cyberattack warning, the escalation of both the Play ransomware and BADBOX 2.0 threats highlight the persistent and adaptive nature of today’s cybercriminal landscape. “Sometimes, way too oftentimes, in fact, it can feel like every day is a critical attack warning day when you work in the cybersecurity field,” one cybersecurity expert remarked. That sentiment reflects the increasing frequency and severity of digital attacks that demand constant vigilance.
The FBI and CISA have issued strong recommendations for both preventing and responding to these threats. Organizations are encouraged to:
- Ensure all systems are fully patched, especially those known to be exploited by Play ransomware.
- Disable unused services, particularly those exposed to the internet, such as RDP.
- Use multifactor authentication across all access points.
- Monitor systems for suspicious lateral movement activity.
- Regularly back up critical data and store backups offline.
- Train staff to recognize phishing and social engineering attempts.
The updated advisory, enhanced with critical technical insights and threat intelligence, aims to help organizations prepare and defend against some of the most sophisticated cybercriminal activities observed in recent years. Whether it’s a state-sponsored group targeting international infrastructure or a smart home device being hijacked in a residential neighborhood, the digital battleground continues to grow more complex.
In light of these developments, staying informed and taking preemptive action remains the best defense against becoming another cyberattack statistic. As both Play ransomware and BADBOX 2.0 demonstrate, the threats are real, growing, and increasingly difficult to contain without coordinated vigilance.