CyberSecurity news

FlagThis

@research.checkpoint.com //
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.

The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file.

Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update.

Recommended read:
References :
  • isc.sans.edu: Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
  • BleepingComputer: Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
  • Tenable Blog: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
  • cyberinsider.com: Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Cisco Talos Blog: Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
  • borncity.com: Summarizes the Microsoft security updates for June 10, 2025, noting the zero-day classification.
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
  • hackread.com: June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day
  • CyberInsider: Summary of the June 2025 Patch Tuesday release.
  • research.checkpoint.com: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • gbhackers.com: Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day
  • cyberscoop.com: Reports on Microsoft patching 66 vulnerabilities, including an actively exploited zero-day.
  • bsky.app: This month, Microsoft patched 67 vulnerabilities, including one actively exploited zero-days—CVE-2025-33053, a WebDAV RCE discovered by Check Point
  • gbhackers.com: Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
  • www.helpnetsecurity.com: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • Kaspersky official blog: CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
  • thehackernews.com: Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
  • blog.checkpoint.com: Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
  • Check Point Blog: Inside Stealth Falcon's Espionage Campaign Using a Microsoft Zero-Day
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Blog: Microsoft’s June addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
  • go.theregister.com: Microsoft warns of 66 flaws to fix for this Patch Tuesday, and two are under active attack
  • arcticwolf.com: Arctic Wolf's blog covering the June 2025 Microsoft Patch Tuesday, mentioning CVE-2025-33053.
  • socprime.com: A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory.
  • www.bleepingcomputer.com: An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
  • arcticwolf.com: Arctic Wolf observes that Microsoft Patch Tuesday: June 2025 includes CVE-2025-33053.
  • Virus Bulletin: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • borncity.com: Microsoft Security Update Summary (June 10, 2025)
  • www.threatdown.com: June 2025 Microsoft Patch Tuesday fixes two zero-days
  • Arctic Wolf: Microsoft Patch Tuesday: June 2025
  • Help Net Security: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • thecyberexpress.com: Microsoft Patch Tuesday June 2025: One Zero-Day, Nine High-risk Flaws Fixed
  • infosecwriteups.com: (CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…
  • Action1: June 2025 Vulnerability Digest Recording
  • 0patch Blog: Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)
  • Check Point Research: CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Ben Weiss@fortune.com //
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Recommended read:
References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
  • The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • CyberScoop: This article reports on the cyberattack claimed by Predatory Sparrow against Iran's Bank Sepah.
  • cyberriskleaders.com: This episode of Risky Business discusses the $90 million crypto hack of the Iranian exchange, Nobitex, and other recent cybersecurity incidents in the context of the Israeli-Iranian conflict. The hosts, Patrick Gray and Adam Boileau, are joined by special guest Chris Krebs to discuss various threat actor tactics and trends.
  • www.elliptic.co: The Israeli-linked Gonjeshke Darande hacking group claimed responsibility for the attack.
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Web3 is Going Just Great: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Risky Business Media: Russian hackers abuse app-specific passwords to bypass multi-factor, the tenth Salt Typhoon victim is identified, Predatory Sparrow destroys $90 million from an Iranian crypto-exchange, and Argentina arrests a Russian disinfo gang.

Dissent@DataBreaches.Net //
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.

Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data.

The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials.

Recommended read:
References :
  • www.bleepingcomputer.com: No, the 16 billion credentials leak is not a new data breach.
  • www.it-daily.net: 16 billion login details: the data theft that nobody knew about
  • Malwarebytes: Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online
  • Kaspersky official blog: The world's biggest data breach: what should folks do? | Kaspersky official blog
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering.
  • bsky.app: No, the 16 billion credentials leak is not a new data breach. Thanks @lawrenceabrams.bsky.social for being a knowledgeable and calm voice amidst the yelling about this 'breach'.
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • techxplore.com: Researchers at cybersecurity outlet Cybernews say that billions of login credentials have been leaked and compiled into datasets online, giving criminals "unprecedented access" to accounts consumers use each day.
  • Billy Bambrough: A massive 16 billion password hack has sparked calls for an urgent upgrade...
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • DataBreaches.Net: DataBreaches.net article on the 16 billion credentials leak
  • Metacurity: Report of 16 billion credentials breach debunked

info@thehackernews.com (The@The Hacker News //
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.

Recommended read:
References :
  • Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
  • The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
  • Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
  • ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
  • www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
  • Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
  • BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
  • Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
  • www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
  • bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.
  • sra.io: UNK_SneakyStrike weaponizes TeamFiltration tool targeting 80K+ Entra ID accounts via AWS infrastructure. #AccountTakeover #Microsoft365 #AWS The post appeared first on .
  • Security Risk Advisors: UNK_SneakyStrike Campaign Weaponizes TeamFiltration Tool to Target 80,000 Entra ID Accounts

@arcticwolf.com //
Trend Micro has released security updates to address critical vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. These vulnerabilities, which include remote code execution and authentication bypass flaws, pose a significant risk to affected systems. The company urges administrators to apply the necessary security updates as soon as possible to mitigate potential exploitation. While Trend Micro states there is no evidence of active exploitation in the wild, the severity of the flaws necessitates immediate action.

One specific vulnerability, tracked as ZDI-25-371, exists within the Endpoint Encryption product and involves the DeserializeFromBase64String method. This flaw stems from a lack of proper validation of user-supplied data, which can lead to the deserialization of untrusted data. An attacker who successfully exploits this vulnerability can execute code in the context of SYSTEM, potentially gaining complete control over the affected system. Although authentication is required, the existing authentication mechanism can be bypassed, making exploitation easier.

The vulnerabilities were reported to Trend Micro on October 11, 2024, by Piotr Bazydlo of Trend Micro's Zero Day Initiative. A coordinated public release of the advisory followed on June 11, 2025. Users of Apex Central and Endpoint Encryption (TMEE) PolicyServer products are advised to visit the Trend Micro website for details on obtaining and applying the necessary patches. Further information on the specific fixes can be found at https://success.trendmicro.com/en-US/solution/KA-0019928.

Recommended read:
References :
  • ZDI: Published Advisories: ZDI-25-371: Trend Micro Endpoint Encryption DeserializeFromBase64String Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • BleepingComputer: Trend Micro fixes critical vulnerabilities in multiple products
  • BleepingComputer: Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.
  • ZDI: Published Advisories: ZDI-25-373: Trend Micro Endpoint Encryption DbAppDomain Authentication Bypass Vulnerability
  • www.bleepingcomputer.com: Trend Micro fixes critical vulnerabilities in multiple products
  • securityaffairs.com: Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer
  • www.scworld.com: Trend Micro patches four 9.8 bugs in encryption PolicyServer products
  • arcticwolf.com: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • Arctic Wolf: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • The DefendOps Diaries: Trend Micro Addresses Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • arcticwolf.com: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • Arctic Wolf: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • www.techradar.com: Trend Micro patches several worrying security flaws, so update now
  • cyble.com: CERT-In Vulnerability Note Highlights Critical Security Risks in Ivanti, Trend Micro, Apache Kafka, and SAP Products

info@thehackernews.com (The@The Hacker News //
Check Point Research has revealed a significant malware campaign targeting Minecraft players. The campaign, active since March 2025, involves malicious modifications (mods) distributed through the Stargazers Ghost Network on GitHub. These fake mods, impersonating legitimate "Scripts & Macro" tools or cheats, are designed to surreptitiously steal gamers' sensitive data. The malware is written primarily in Java, a language often overlooked by security solutions, and contains Russian-language artifacts suggesting the involvement of a Russian-speaking threat actor. The popularity of Minecraft, with over 200 million monthly active players and over 300 million copies sold, makes it a prime target for such attacks.

The multi-stage infection chain begins when a user downloads and installs a malicious JAR file, disguised as a Minecraft mod, into the game's mods folder. This initial Java downloader employs anti-analysis techniques to evade detection by antivirus software. Once executed, it retrieves and loads a second-stage Java-based stealer into memory. This stealer then collects Minecraft tokens, account credentials from popular launchers like Feather and Lunar, Discord tokens, Telegram data, IP addresses, and player UUIDs. The stolen data is then exfiltrated to a Pastebin-hosted URL, paving the way for the final, most potent payload.

The final stage involves a .NET stealer with extensive capabilities, designed to steal a wide range of information. This includes browser data from Chrome, Edge, and Firefox, cryptocurrency wallet credentials, VPN credentials from NordVPN and ProtonVPN, and files from various directories such as Desktop and Documents. It can also capture screenshots and clipboard contents and harvest credentials from Steam, Discord, Telegram, and FileZilla. Over 1,500 Minecraft players have already been infected by these malicious mods distributed on GitHub. Researchers have flagged approximately 500 GitHub repositories used in the campaign.

Recommended read:
References :
  • blog.checkpoint.com: Minecraft Players Targeted in Sophisticated Malware Campaign
  • Check Point Research: Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data
  • securityaffairs.com: Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers
  • securityonline.info: Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
  • The Hacker News: 1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
  • Security Risk Advisors: 🚩 Stargazers Ghost Network Distributes Java Malware Through Fake Minecraft Mods Targeting Gaming Community
  • Check Point Blog: Minecraft Players Targeted in Sophisticated Malware Campaign
  • www.scworld.com: Counterfeit Minecraft mods deliver malware
  • www.techradar.com: Minecraft players watch out - these fake mods are hiding password-stealing malware

@cert.europa.eu //
A number of critical security vulnerabilities have been identified and addressed in several software products, highlighting the persistent need for vigilance and timely updates. One of the most severe issues is a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-23121, in Veeam Backup & Replication. This flaw, which received a CVSS score of 9.9, allows an authenticated domain user to execute code remotely on the Backup Server, specifically impacting domain-joined backup servers. Veeam has released security updates to fix this and other vulnerabilities, urging users to upgrade to the latest version, 12.3.2 (build 12.3.2.3617), as soon as possible.

Affected products include Veeam Backup & Replication versions 12, 12.1, 12.2, 12.3, and 12.3.1, along with Veeam Agent for Microsoft Windows versions 6.0, 6.1, 6.2, 6.3, and 6.3.1. In addition to the critical RCE in Veeam, a high severity Arbitrary Code Execution (ACE) vulnerability (CVE-2025-24286) in Veeam Backup & Replication was also addressed, allowing an authenticated user with the Backup Operator role to modify backup jobs, potentially leading to arbitrary code execution. Further more, a medium severity local privilege escalation bug (CVE-2025-24287) was identified affecting the Windows Veeam agent, which allows local system users to execute arbitrary code with elevated permissions by modifying specific directory contents.

Users are strongly advised to update their software to the latest versions to mitigate the risks associated with these vulnerabilities. For Veeam users, it is recommended to implement best practices provided by the vendor, such as using a separate management workgroup or domain for Veeam components. The discovery of an undocumented root shell access (CVE-2025-26412) in the SIMCom SIM7600G modem, highlighting the dangers of backdoors and undocumented features in embedded devices. Furthermore, a critical vulnerability (CVE-2025-3464) in Asus Armoury Crate allows attackers to gain SYSTEM privileges via hard link manipulation, advising users to update or disable the software.

Recommended read:
References :
  • cert.europa.eu: On June 17, 2025, Veeam released an advisory addressing several vulnerabilities in Veeam Backup & Replication, one of which is rated as critical. It is recommended updating as soon as possible.
  • research.kudelskisecurity.com: Summary On June 1 7, data resilience vendor Veeam released security updates to fix three vulnerabilities: one critical severity RCE and one high severity ACE
  • The Register - Security: Veeam patches third critical RCE bug in Backup & Replication in space of a year
  • securityaffairs.com: Veeam addressed a new critical flaw in Backup & Replication product that could potentially result in remote code execution.
  • www.cybersecuritydive.com: Researchers urge vigilance as Veeam releases patch to address critical flaw
  • Security Risk Advisors: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2
  • research.kudelskisecurity.com: Veeam Backup & Replication: Critical RCE Patched
  • www.veeam.com: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2 . CVE-2025-23121 & CVE-2025-24286 & CVE-2025-24287 The post appeared first on .
  • Blog: On June 17, Veeam released , tracked as CVE-2025-23121, CVE-2025-24286, and CVE-2025-24287. The fixes were applied in and .
  • The Hacker News: Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
  • thecyberexpress.com: This article discusses various vulnerabilities and recommends applying patches.
  • www.veeam.com: Veeam KB 4696

@cyberscoop.com //
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.

GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries.

The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified.

Recommended read:
References :
  • Threats | CyberScoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • The Hacker News: Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
  • www.cybersecuritydive.com: Threat group linked to UK, US retail attacks now targeting insurance industry
  • hackread.com: Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns
  • The Record: Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.â€
  • www.scworld.com: Scattered Spider group attacking US insurance industry, Google says
  • SecureWorld News: Scattered Spider Swarms Insurance Sector with Targeted Cyber Attacks, Google Warns
  • Zack Whittaker: Google's John Hultquist says in an emailed statement that the company is seeing "multiple intrusions in the US" that bear the hallmarks of Scattered Spider activity and "now seeing incidents in the insurance industry." Google spokesperson confirmed there's more than one U.S.-based insurance victim.
  • CYJAX: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry

Graham Cluley@Blog RSS Feed //
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.

Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks.

This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world.

Recommended read:
References :
  • securityonline.info: Ransomware gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
  • www.tripwire.com: Qilin offers “Call a lawyer†button for affiliates attempting to extort ransoms from victims who won’t pay
  • DataBreaches.Net: Qilin Offers “Call a lawyer†Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • bsky.app: The Qilin ransomware-as-a-service operation is now offering their affiliates a “Call a Lawyer†button. Yes, really.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims

Rescana@Rescana //
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.

The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands.

Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures.

Recommended read:
References :
  • The Hacker News: Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment
  • Davey Winder: This New Ransomware Can Irrevocably Destroy Your Files — Backup Now
  • Rescana: Anubis Ransomware Incident Analysis: Dual-Threat Cyber Attack with Irreversible File Wiping in Healthcare, Hospitality, and Construction Systems
  • securityaffairs.com: New Anubis RaaS includes a wiper module
  • DataBreaches.Net: Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • Security Risk Advisors: 🚩 Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities
  • www.trendmicro.com: Trend Micro article Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities

@blog.talosintelligence.com //
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.

This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.

PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.

Recommended read:
References :
  • blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
  • Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
  • Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
  • hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
  • Virus Bulletin: This article reports on various APT groups and their activities, including the use of PylangGhost by Famous Chollima.

drewt@secureworldexpo.com (Drew@SecureWorld News //
Cyber warfare between Israel and Iran has significantly escalated, marked by disruptions to financial systems and critical infrastructure. In response to recent cyberattacks, the Iranian government admitted to shutting down the internet to protect against further Israeli incursions. This near-total internet blackout has severely limited Iranians' access to information about the ongoing conflict and their ability to communicate with loved ones both inside and outside the country. The government cited hacks on Bank Sepah and the cryptocurrency exchange Nobitex as reasons for restricting internet access.

The cyberattacks included a major outage at Bank Sepah, where the attackers, a group called Predatory Sparrow, claimed to have deleted data, exfiltrated internal documents, and destroyed backups. Predatory Sparrow also claimed responsibility for draining over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, rendering the stolen funds inaccessible. The group, which purports to be pro-Israel hacktivists, has previously disrupted key services in Iran, such as gas stations and steel plants.

The U.S. cybersecurity groups have issued advisories warning that Iranian-affiliated threat actors may retaliate globally, targeting American companies in sectors like energy, finance, healthcare, and logistics. These alerts urge CISOs to elevate monitoring and reinforce incident response protocols due to the heightened geopolitical risk. The cyber conflict between Israel and Iran marks a significant turning point, with potential global implications for cybersecurity.

Recommended read:
References :
  • techcrunch.com: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout. "I haven’t heard from them in two days, but someone is supposed to update me. I hope everything is okay," Amir Rashidi told me.
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown. The escalation marks one of the most comprehensive campaigns of cyber warfare in recent memory.
  • securityaffairs.com: Iran experienced a near-total national internet blackout
  • techcrunch.com: Iran’s government says it shut down internet to protect against cyberattacks
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange

Veronika Telychko@SOC Prime Blog //
References: Blog , SOC Prime Blog , The Hacker News ...
Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.

Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions.

The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems.

Recommended read:
References :
  • Blog: Field Effect details the vulnerabilities and the availability of proof-of-concept exploit code.
  • SOC Prime Blog: SocPrime's blog post discusses the CVE-2025-6018 and CVE-2025-6019 vulnerabilities and their potential impact.
  • Kaspersky official blog: Vulnerability CVE-2025-6019 allows an attacker to gain root privileges in most Linux distributions.
  • The Hacker News: New Linux Kernel Vulnerabilities Allow Full Root Access via PAM and Udisks Across Major Distributions
  • securityaffairs.com: This article explains the two LPE vulnerabilities impacting Linux systems.

@kirbyidau.com //
MKA Accountants, a Victorian accounting firm, has confirmed it fell victim to a ransomware attack by the Qilin group. The incident, which occurred in May 2025, resulted in the publication of sensitive company documents on Qilin's leak site. The stolen data included internal correspondence, financial statements, and insurance information, highlighting the severity of the breach and the potential impact on the firm's operations and client relationships. This attack underscores the growing threat posed by ransomware groups to organizations of all sizes, regardless of their industry.

The Qilin ransomware group has been rapidly gaining prominence in the cybercrime landscape. As established players like RansomHub and LockBit face internal turmoil and operational setbacks, Qilin has emerged as a technically advanced and full-service cybercrime platform. Recent reports indicate that Qilin is actively recruiting affiliates, possibly absorbing talent from defunct groups, and bolstering its capabilities to conduct sophisticated ransomware attacks. This rise in prominence positions Qilin as a major player in the evolving ransomware-as-a-service (RaaS) ecosystem, posing a significant threat to businesses worldwide.

To further pressure victims into paying ransoms, Qilin now offers a "Call Lawyer" feature within its affiliate panel. This addition aims to provide affiliates with legal counsel during ransom negotiations, potentially intimidating victims and increasing the likelihood of payment. Furthermore, Qilin provides other services to help affiliates maximize their success. This includes spam services, PB-scale data storage, a team of in-house journalists, and even the ability to conduct distributed denial-of-service (DDoS) attacks, positioning Qilin as a comprehensive cybercrime operation and increasing it's market share.

Recommended read:
References :
  • kirbyidau.com: Incident: MKA Accountants confirms Qilin ransomware attack | CyberDaily.au
  • www.tripwire.com: Tripwire article on Qilin offers “Call a lawyer†button for affiliates.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms

@www.trendmicro.com //
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.

CISA@Alerts //
Tenable's 2025 Cloud Security Risk Report has revealed a concerning trend: a significant percentage of public cloud storage resources are exposing sensitive data. The study found that nearly one in ten publicly accessible cloud storage buckets contain sensitive information, including Personally Identifiable Information (PII), Intellectual Property (IP), Payment Card Industry (PCI) data, and Protected Health Information (PHI). Worryingly, 97% of this exposed data is classified as restricted or confidential. This highlights the ongoing challenge organizations face in properly securing their cloud environments despite increased awareness of cloud security risks.

Researchers found that misconfigured access settings and overly permissive policies are major contributing factors to these exposures. For instance, more than half of organizations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions. Similarly, a significant portion of Google Cloud Platform (GCP) Cloud Run and Microsoft Azure Logic Apps workflows are also exposed. Tenable emphasizes the need for automated data discovery and classification, elimination of public access by default, enterprise-grade secrets management, and identity-intelligent Cloud Security Posture Management (CSPM) to mitigate these risks.

While the report highlights the risks from insecure cloud configurations, it also points to some positive developments. The number of organizations with "toxic cloud trilogies" – workloads that are publicly exposed, critically vulnerable, and highly privileged – has declined from 38% to 29% over the past year. However, this still represents a substantial risk. Tenable stresses that exposed secrets and sensitive data are systemic risks that must be eliminated to prevent data exfiltration and environment takeover, emphasizing that attackers often exploit public access, steal embedded secrets, or abuse overprivileged identities to compromise cloud environments.

Recommended read:
References :
  • www.cybersecuritydive.com: Cloud storage buckets leaking secret data despite security improvements
  • Tenable Blog: Cybersecurity Snapshot: Tenable Report Spotlights Cloud Exposures, as Google Catches Pro-Russia Hackers Impersonating Feds
  • www.itpro.com: Tenable report shows that organizations are failing to configure storage effectively – and may have a false sense of security

@nvd.nist.gov //
A critical security vulnerability, CVE-2025-49763, has been identified in Apache Traffic Server (ATS). This flaw, discovered by Imperva's Offensive Security Team, resides within the ESI plugin of ATS and can be exploited by remote, unauthenticated attackers to trigger denial-of-service (DoS) attacks. The vulnerability stems from the potential for attackers to initiate an "avalanche" of internal ESI requests, leading to the exhaustion of server memory. The CVSS v3.1 score is estimated at 7.5, classifying it as a high-severity issue.

The memory exhaustion vulnerability allows malicious actors to potentially crash proxy nodes within the Apache Traffic Server infrastructure. To mitigate the risk posed by CVE-2025-49763, security experts advise upgrading ATS to the latest version and carefully configuring Access Control List (ACL) settings. Specifically, administrators should define limits for the ESI plugin to prevent excessive resource consumption by unauthorized requests.

In addition to this vulnerability (CVE-2025-49763), another CVE, CVE-2025-31698, was recently published, concerning ACL misconfigurations in Apache Traffic Server. This highlights the need for diligent security practices. Users of Apache Traffic Server versions 10.0.0 through 10.0.6 and 9.0.0 through 9.2.10 are advised to upgrade to versions 9.2.11 or 10.0.6 to address the ACL issue. A new setting, proxy.config.acl.subjects, allows administrators to specify which IP addresses to use for ACL checks when ATS is configured to accept PROXY protocol.

Recommended read:
References :
  • thecyberexpress.com: This article provides detailed information on the vulnerability, its impact, and mitigation strategies.
  • Blog: CVE-2025-49763 – Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin
  • Tenable Blog: This article discusses various cybersecurity topics, including the Apache Traffic Server vulnerability CVE-2025-49763.
  • www.imperva.com: Remote attackers can trigger an avalanche of internal ESI requests, exhausting memory and causing denial-of-service in Apache Traffic Server.

@www.huntress.com //
The North Korea-aligned threat actor known as BlueNoroff, also tracked as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon, has been observed targeting an employee in the Web3 sector with deceptive tactics. According to research shared by Huntress, these tactics include the use of deepfake Zoom calls featuring synthetic personas of company executives to trick victims into installing malware on their Apple macOS devices. This sophisticated social engineering campaign highlights the evolving techniques employed by threat actors to compromise systems and gain access to sensitive information.

Huntress researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon provided detailed analysis of a recent BlueNoroff intrusion targeting a cryptocurrency foundation employee. The employee was initially contacted via Telegram and enticed to schedule a meeting through a Calendly link. This link redirected the user to a fake Zoom domain controlled by the attackers. During the deepfake Zoom meeting, the employee was prompted to download a malicious Zoom extension, delivered via Telegram, under the guise of a microphone issue fix. This extension, named "zoom_sdk_support.scpt," initiated the malware installation process.

The AppleScript downloaded a payload from a malicious website, disabling bash history logging and checking for Rosetta 2 installation on the compromised Mac. It then proceeded to create a hidden file and download binaries to the "/tmp/icloud_helper" directory, prompting the user for their system password and wiping the history of executed commands to cover their tracks. This intrusion led to the discovery of eight distinct malicious binaries on the victim host, including Telegram 2, Root Troy V4, and InjectWithDyld. The Field Effect Analysis team has also been investigating similar activity related to BlueNoroff.

Recommended read:
References :
  • Know Your Adversary: Huntress has shared the of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes!
  • The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
  • Blog: Zoom & doom: BlueNoroff call opens the door
  • www.huntress.com: Inside BlueNoroff Web3 Intrusion Analysis
  • www.csoonline.com: North Korea’s BlueNoroff uses AI deepfakes to push Mac malware in fake Zoom calls. In a novel social engineering campaign, North Korea’s BlueNoroff is tricking company executives into downloading fake Zoom extensions that install a custom-built Mac malware suite.
  • Virus Bulletin: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • securityonline.info: North Korean BlueNoroff Uses Deepfakes in Zoom Scams to Install macOS Malware for Crypto Theft

info@thehackernews.com (The@The Hacker News //
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.

Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network.

The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability.

Recommended read:
References :
  • The Hacker News: New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks
  • securityaffairs.com: News Flodrix botnet targets vulnerable Langflow servers
  • securityonline.info: Langflow Under Attacks: CVE-2025-3248 Exploited to Deliver Stealthy Flodrix Botnet
  • Virus Bulletin: Trend Micro uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.

Waqas@hackread.com //
References: DataBreaches.Net , hackread.com ,
CoinMarketCap, a leading cryptocurrency data website, has been hacked, resulting in the theft of approximately $43,000 in cryptocurrency from 110 users. The attackers exploited a vulnerability in CoinMarketCap's animated logo, injecting malicious code that displayed a fake wallet verification popup. This popup prompted users to connect their crypto wallets and approve ERC-20 token access, enabling the scammers to drain their funds. Wallet providers like MetaMask and Phantom were quick to flag the site as unsafe, displaying browser warnings against using the platform. CoinMarketCap has since confirmed the removal of the malicious popup.

The attack, which ran for only a few hours, utilized a sophisticated phishing kit known as Inferno Drainer, a well-known crypto-drainer phishing kit. Security firm C/side linked the malicious code to Inferno Drainer. Data gleaned from a Telegram channel known as TheCommsLeaks revealed a live dashboard used by the attacker, showing real-time wallet connections, token transfers, and total values drained. Early figures showed 67 successful hits and over 1,300 wallet connections, with the payout quickly exceeding $21,000 in the initial wave.

The individual behind the attack is reportedly a French-speaking actor known online as Zartix and Spadle, associated with an underground community called The Com. This community is also linked to the Scattered Spider group. The incident highlights the growing risks within the cryptocurrency space, where trusted platforms can be exploited through sophisticated scams. This incident serves as a reminder of the importance of caution when connecting wallets to online platforms and the need for robust security measures to protect users from these kinds of attacks.

Recommended read:
References :
  • DataBreaches.Net: CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • hackread.com: Scammers Use Inferno Drainer to Steal $43K from CoinMarketCap Users
  • Risky.Biz: Risky Bulletin: CoinMarketCap hacked via a doodle image

Veronika Telychko@SOC Prime Blog //
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.

Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor.

Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment.

Recommended read:
References :
  • redcanary.com: Red Canary's report on Mocha Manakin details the use of NodeInitRAT and provides detection strategies.
  • SOC Prime Blog: SocPrime provides information on detecting Mocha Manakin attacks, focusing on the backdoor's capabilities and associated ransomware.
  • redcanary.com: Named by Red Canary, Mocha Manakin uses paste and run with PowerShell to drop a custom NodeJS backdoor that could lead to ransomware
  • socprime.com: Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique
  • cyberpress.org: Mocha Manakin Exploits Paste-and-Run Method to Deceive Users into Downloading Malware
  • hackread.com: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • Virus Bulletin: Red Canary researchers analyse a Mocha Manakin activity cluster that delivers NodeJS backdoor via Clickfix/fakeCAPTCHA.

@x.com //
The ongoing Israel-Iran conflict has expanded into cyberspace, marked by a surge in hacktivist activity and the deployment of new malware campaigns. Pro-Israel and pro-Iranian groups are actively engaging in cyberattacks, including DDoS attacks, website defacements, and data breaches, targeting organizations within each other's territories. This digital warfare mirrors the escalating military tensions between the two nations, turning the internet into a covert combat zone.

Amidst this cyber conflict, a pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for hacking Bank Sepah, a major Iranian financial institution. Predatory Sparrow alleges that the bank was used to circumvent international sanctions and finance the Iranian regime's military activities. While independent verification of the attack is pending, reports have emerged of banking disruptions and closed Bank Sepah branches across Iran. The group has targeted Iranian organizations in the past.

The intensification of cyber hostilities between Israel and Iran raises concerns about potential spillover effects, with U.S. companies and critical infrastructure facing increased risks. Cybersecurity experts are urging organizations to brace for potential disruptions and enhance their defenses against cyberattacks. The digital conflict highlights the importance of cybersecurity preparedness in a world where geopolitical tensions increasingly manifest in cyberspace.

Recommended read:
References :
  • thecyberexpress.com: Iran-Israel cyber conflict intensifies with hacktivist attacks and new malware campaigns.
  • SpiderLabs Blog: The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone
  • aboutdfir.com: U.S. companies brace for Israel-Iran cyber spillover

Ashish Khaitan@The Cyber Express //
Oxford City Council has suffered a cyberattack resulting in the potential exposure of personal data relating to election workers. The incident, which occurred the weekend of June 7th and 8th, involved unauthorized access to the council's network. Automated security systems detected and contained the intrusion, minimizing the attackers' access to systems and databases.

As a precaution, the council took down its main systems to conduct thorough security checks. Most systems are now safely operational, with the remainder expected to be back online shortly. While email systems and wider digital services remain secure, the attackers managed to access historic data on legacy systems, specifically impacting individuals who worked on Oxford City Council-administered elections between 2001 and 2022, including poll station workers and ballot counters.

The council has stated that there is no evidence to suggest the accessed information has been shared with third parties, and investigations are ongoing to determine the precise nature and extent of the data compromised. Impacted individuals have been contacted, and the council has reported the incident to relevant government authorities and law enforcement agencies, assuring the public that actions have been taken to prevent further unauthorized access and that a full investigation is underway.

Recommended read:
References :
  • thecyberexpress.com: Oxford City Council Cyberattack Disrupts Services and Exposes Historic Election Data
  • www.oxford.gov.uk: Council’s automated defense systems had identified and contained an unauthorized presence
  • www.itpro.com: Personal data taken in Oxford City Council cyber attack
  • thecyberexpress.com: The Oxford City Council cyberattack, which occurred over the weekend of June 7–8, was identified by the council’s automated defense systems.

@nvd.nist.gov //
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.

CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777.

To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress.

Recommended read:
References :
  • thecyberexpress.com: Two High-Severity Flaws Found in NetScaler Products: CVE-2025-5349 and CVE-2025-5777
  • cert.europa.eu: CERT-In has issued an advisory regarding these vulnerabilities.
  • nvd.nist.gov: The National Vulnerability Database provides additional detail on CVE-2025-5349 and CVE-2025-5777.
  • Blog: How to find Citrix NetScaler ADC & Gateway instances on your network

Rescana@Rescana //
References: infosec.exchange , WIRED ,
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict

@blog.criminalip.io //
A critical security vulnerability, CVE-2025-49113, has been identified in Roundcube webmail, a popular skinnable AJAX based webmail solution for IMAP servers. The flaw allows for remote code execution (RCE) through the exploitation of email subject lines. Attackers can inject malicious PHP code into the subject header field, which, when processed by Roundcube, allows them to execute arbitrary commands on the server. This vulnerability is particularly dangerous as it can be exploited without any user interaction, enabling attackers to compromise systems simply by sending a malicious email.

This vulnerability affects Roundcube versions up to 1.6.4. Security researchers confirmed that the flaw was actively exploited to install backdoors and exfiltrate system information. As of June 2025, the Shadowserver Foundation reported that over 84,925 Roundcube instances were exposed to this vulnerability. Criminal IP Asset Search has also identified tens of thousands of affected cases, highlighting the widespread nature of the threat. The vulnerability was patched in version 1.6.5.

Ubuntu has released security notices (USN-7584-1) addressing the Roundcube vulnerability. It was discovered that Roundcube Webmail did not properly sanitize the _from parameter in a URL, leading to PHP Object Deserialization. A remote attacker could possibly use this issue to execute arbitrary code. The problem can be corrected by updating your system to the specified package versions for your Ubuntu release, which is available via standard system updates or Ubuntu Pro with ESM Apps. Given the severity and active exploitation of CVE-2025-49113, users are strongly advised to update their Roundcube installations immediately to the latest version.

Recommended read:
References :
  • CIP Blog: This article details the CVE-2025-49113 vulnerability affecting Roundcube webmail.
  • Ubuntu security notices: This article details the CVE-2025-49113 vulnerability, emphasizing its active exploitation and the importance of immediate patching.

@www.healthcareitnews.com //
References: www.comparitech.com ,
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.

Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications.

This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement.

Recommended read:
References :
  • www.comparitech.com: Medical software maker Episource data breach leaks thousands of patients’ private health info
  • : Episource ransomware attack leaked patient health data

@www.healthcarefinancenews.com //
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability.

In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups.

Recommended read:
References :
  • cyble.com: The greatest number of ransomware attacks were directed towards the professional services and construction sectors.
  • cybersecurityventures.com: Ransomware: File Data Is Harder to Manage and Defend
  • : The attack resulted in a significant data breach at Caesars Entertainment.

Field Effect@Blog //
References: Blog , securityaffairs.com
Multiple security vulnerabilities are being actively exploited across various systems, posing significant risks to organizations and individuals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of addressing this flaw. Furthermore, researchers have uncovered a vulnerability chain affecting a wide range of Linux distributions that could allow an unprivileged user to gain full root access. These vulnerabilities, CVE-2025-6018 and CVE-2025-6019, reside in the Pluggable Authentication Modules (PAM) configuration and libblockdev, respectively.

Proof-of-concept (POC) code has been published for the Linux vulnerability chain, raising the potential for widespread exploitation. The libblockdev flaw is exploitable through the udisks daemon, a tool commonly deployed in Linux distributions such as Ubuntu, Debian, Fedora, openSUSE, Arch Linux, and Red Hat Enterprise Linux (RHEL). In addition to Linux vulnerabilities, there is also an increase in infostealer malware such as Lumma Stealer with new rules being added to detect associated command and control (CnC) domains. This highlights the diverse and evolving nature of cyber threats.

The constant discovery and exploitation of vulnerabilities underscore the critical importance of timely patching and robust security awareness. Organizations are advised to prioritize patching the Linux Kernel flaw added to CISA's Known Exploited Vulnerabilities catalog, as well as the vulnerability chain affecting multiple Linux distributions. In addition to addressing Linux flaws, organizations need to also protect themselves from a range of malware, including the Lumma Stealer. The Cybersecurity community continues to identify and address many more vulnerabilities in a range of products including Apple products, TP-Link routers and Zyxel products. Regular security audits and proactive threat hunting are also essential for mitigating risks and maintaining a strong security posture.

Recommended read:
References :
  • Blog: Researchers published proof-of-concept (POC) code for an attack chaining two local privilege escalation (LPE) vulnerabilities affecting a wide range of Linux distributions.
  • securityaffairs.com: U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog.

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.

The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results.

Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents.

Recommended read:
References :
  • Resources-2: Picus Security blog discussing Silver Fox APT targeting public sector via trojanized medical software.
  • securityonline.info: The post appeared first on .