Microsoft has rolled out security fixes as part of its June 2025 Patch Tuesday release that cover over 60 vulnerabilities, including a zero-day flaw exploited in real-world attacks. The said flaw (CVE-2025-33053) is a remote code execution issue in Microsoft Windows MSHTML stemming from the incorrect processing of file path in WebDav links. A remote attacker can trick the victim into clicking on a specially crafted link and execute arbitrary code on the system. The flaw has been exploited in a new campaign orchestrated by the Stealth Falcon state-backed threat actor that is largely focused on the Middle East and Africa. This recent attack has targeted high-profile entities in the government and defense sectors in Turkey, Qatar, Egypt, and Yemen.
Paragon’s Graphite spyware was used in zero-click attacks targeting the iPhones of at least two prominent European journalists in early 2025, according to Citizen Lab. The spyware exploited a then-unknown zero-day vulnerability (CVE-2025-43200) in iOS 18.2.1, delivered via iMessage without any user interaction. The threat actor used an account, named in the research as ‘ATTACKER1,’ to send malicious messages that exploited CVE-2025-43200 for remote code execution. The vulnerability was patched in iOS 18.3.1 on February 10.
A widespread and coordinated cyber campaign is actively targeting Apache Tomcat Manager interfaces exposed to the internet, according to threat intelligence company GreyNoise. The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
More than 70,000 Roundcube webmail installations have been found vulnerable to high-severity remote code execution flaw, which has been reportedly exploited in the wild. The flaw, tracked as CVE-2025-49113, affects Roundcube versions 1.1.0 through 1.6.10. It has existed for over a decade and was patched on June 1. Researchers report that an exploit for the vulnerability is already being sold on underground forums, and there is evidence of active exploitation attempts.
Two distinct Mirai botnets have been observed targeting a critical vulnerability in Wazuh servers, Akamai researchers have warned. The flaw in question is CVE-2025-24016, an unsafe deserialization issue in the manager package of the open source XDR and SIEM solution Wazuh. It impacts Wazuh versions 4.4.0 through 4.9.0, with a fix released in version 4.9.1. The vulnerability allows a remote attacker with API access to execute arbitrary code on the target server with a malicious JSON file. Following the public disclosure, the a proof of concept (PoC) was released, detailing how to achieve remote code execution using the vulnerability.
Cybersecurity firm SentinelOne disclosed that it was one of over 70 targets in a widespread cyber espionage campaign that took place between July 2024 and March 2025. The operation affected various sectors, including government, finance, manufacturing, and telecommunications. The campaign is attributed to China-linked state-sponsored threat actors, with ties to the threat cluster ‘PurpleHaze,’ which shows connections to known groups APT15 and UNC5174. SentinelOne detected PurpleHaze reconnaissance activity on its servers in April 2024, focused on mapping internet-facing systems for possible future attacks.
Resecurity released a report on APT41 aka BARIUM, Wicked Panda, and Brass Typhoon, a Chinese state-sponsored threat actor that targets a wide range of sectors, including healthcare, telecom, software, and government entities across the globe, in some cases combining custom malware and ransomware.
OpenAI has banned a group of ChatGPT accounts operated by Russian-speaking threat actors and Chinese state-affiliated hacking groups that were abusing the AI platform for cybercriminal and espionage activities. According to OpenAI’s latest threat intelligence report, Russian threat actors exploited ChatGPT to develop Windows-based malware, set up command-and-control (C2) infrastructure, and debug multi-language code. The campaign, dubbed ScopeCreep, involved the use of temporary email accounts for one-off ChatGPT sessions, through which the threat actors made small improvements to malware before abandoning the account to avoid detection.
The Qilin ransomware group, also tracked as Phantom Mantis, has launched a wave of attacks targeting unpatched Fortinet devices, exploiting critical vulnerabilities to bypass authentication and remotely deploy malicious code. According to cybersecurity firm PRODAFT, Qilin began a coordinated campaign between May and June 2025 using Fortinet vulnerabilities CVE-2024-21762 and CVE-2024-55591.
Proofpoint researchers have uncovered an ongoing account takeover (ATO) campaign dubbed UNK_SneakyStrike, which leverages the TeamFiltration penetration testing framework to target Entra ID user accounts. Active since December 2024, the campaign has impacted over 80,000 user accounts across hundreds of organizations. Attackers utilize the Microsoft Teams API and AWS servers from various regions to conduct user enumeration and password spraying. Once access is gained, they exploit resources such as Microsoft Teams, OneDrive, and Outlook to further infiltrate the affected environments.
Fog ransomware hackers have been observed using an uncommon toolset in a recent attack on a financial institution in Asia, according to researchers at Symantec. The attackers leveraged open-source penetration testing tools and a legitimate employee monitoring software called Syteca (formerly Ekran), which records screen activity and keystrokes. Delivered via the Stowaway proxy tool and executed with SMBExec from the Impacket framework, Syteca enabled the attackers to harvest sensitive information like employee credentials. The toolset also included GC2, a post-exploitation backdoor that uses Google Sheets or Microsoft SharePoint for command-and-control and data exfiltration. The initial infection vector remains unknown as of yet.
Trellix released an in-depth analysis of the LockBit admin panel, detailing the inner workings of the ransomware operation, including attacks on Russian entities, affiliates and connections to other RaaS gangs.
Former members of the collapsed Black Basta ransomware group, exposed by an insider leak on Telegram, are still active and using the same tactics such as email bombing and Microsoft Teams phishing to breach networks. More recently, they incorporated Python scripts in the attacks, which are deployed via cURL to deliver malicious payloads. The threat actors are also using tools like Quick Assist and AnyDesk to initiate remote desktop sessions, allowing them to download and execute Python-based malware to establish command-and-control (C2) access.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that ransomware groups are exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) software. Versions 5.5.7 and earlier of SimpleHelp contain several vulnerabilities, including CVE-2024-57727. Attackers are leveraging the flaws to gain access to downstream systems and carry out double extortion attacks.
The DomainTools Investigations Team published a report detailing connections between Russian-affiliated ransomware operations.
The notorious cybercrime group Scattered Spider has upgraded its arsenal, incorporating advanced social engineering and domain impersonation tactics. According to cybersecurity firm ReliaQuest, the group has evolved from a simple SIM-swapping operation into a “global threat” using sophisticated credential-harvesting campaigns.
The Royal Canadian Mounted Police (RCMP) lost an unencrypted USB key containing personal information on 1,741 individuals, including victims, witnesses, informants, and police personnel. Three weeks after the loss, the RCMP learned from a confidential source that the data was being offered for sale by criminals. The breach was reported to the Office of the Privacy Commissioner in March 2022. The privacy watchdog recommended stricter security protocols for USB use, which the RCMP accepted in principle but without a set timeline for implementation.
Israeli researchers have devised a new technique called ‘SmartAttack’ that enables data exfiltration from air-gapped systems using smartwatches. The method leverages smartwatches as receivers for ultrasonic covert communication in air-gapped environments. SmartAttack involves malware that modulates hardware signals to transmit data via ultrasonic waves, which are then covertly received by a nearby smartwatch, bypassing traditional network defenses.
A novel TokenBreak method exploits vulnerabilities in the tokenization process of large language models (LLMs) to bypass safety and content moderation systems. By making a minimal change the attacker can manipulate how input text is tokenized, effectively evading detection by text classification models designed to identify malicious, unsafe, or inappropriate content.
Provider of IT management and remote monitoring solutions ConnectWise has alerted customers that it is rotating the digital code signing certificates used to verify the integrity of its key products, ScreenConnect, ConnectWise Automate, and ConnectWise RMM, in response to potential security risks identified by a third-party researcher. The company said that this is a preventive action and not related to any recent security incident, including the nation-state cyberattack reported last month.
INTERPOL and law enforcement agencies from 26 countries have dismantled more than 20,000 malicious IP addresses and domains linked to information-stealing malware. Dubbed ‘Operation Secure’, the effort ran from January to April 2025 and targeted cybercriminal infrastructure worldwide. The operation resulted in the takedown of 79% of identified suspicious IPs, seizure of 41 servers, over 100 GB of critical data, and 32 arrests linked to cyber offenses.
US authorities have charged Iurii Gugnin (aka Iurii Mashukov and George Goognin), a 38-year-old Russian national residing in New York, for operating a large-scale international money laundering and sanctions evasion scheme. Gugnin used his cryptocurrency companies, Evita Investments Inc. and Evita Pay Inc., to move over $500 million in cryptocurrency through US banks and crypto exchanges while hiding the origins and purposes of the transactions. Many of the funds came from sanctioned Russian banks.
Gugnin is charged with multiple crimes, including wire and bank fraud, conspiracy to defraud the US, violations of the International Emergency Economic Powers Act (IEEPA), operating an unlicensed money transmitting business, and money laundering. He lied to financial institutions about the nature of his business and customers, facilitated payments for sensitive US electronics, and helped procure parts for Rosatom, Russia’s state nuclear company. He was arrested and arraigned in New York.
Authorities in Romania and the Republic of Moldova conducted a coordinated operation targeting the laundering of proceeds from phishing fraud. On the joint action day, 44 locations were searched across both countries. The dismantled organized crime group (OCG), operating from professional call centers in Moldova, was composed of Romanian, Moldovan, Ukrainian, and Italian nationals. The group obtained victims' personal and banking data to make fraudulent transactions, affecting individuals across the EU. So far, 30 victims have been identified, with total financial losses reaching EUR 20 million.
