Google has released emergency security updates for its Chrome browser to address a critical zero-day vulnerability that is being exploited in the wild. The flaw, tracked as CVE-2025-6554, is described as a type confusion bug in Chrome's V8 JavaScript and WebAssembly engine.
A malicious campaign, dubbed “Houken”, attributed to a China-affiliated threat actor, has been targeting key French sectors including government, telecom, finance, media, and transport. ANSSI’s CERT-FR report links the operation to UNC5174, a group believed to serve as an initial access broker for China’s Ministry of State Security. Attackers exploited three critical Ivanti device vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) to gain remote access, steal credentials, deploy malware, and maintain persistence on compromised systems.
American security agencies have issued a joint advisory warning of increased cyber threat activity from Iranian state-sponsored and affiliated actors, urging organizations, particularly in the defense sector, to remain vigilant. Cybersecurity firm Censys said it observed an increasing online exposure of four device types commonly targeted by Iranian hackers, including Unitronics Vision PLCs, Orpak SiteOmat, Red Lion industrial equipment, and the Tridium Niagara framework. From January to June 2025, exposure increased by 4.5% to 9.2% for all but Orpak devices. Notably, Unitronics and Orpak devices often ship with default credentials, making them especially vulnerable to cyberattacks.
A new report from ESET analyzes Russian Gamaredon APT’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024. As per the report, the threat actor shifted its focus exclusively to targeting Ukrainian government institutions, and also ramped up its spearphishing campaigns, using new delivery methods like malicious hyperlinks and LNK files that executed PowerShell scripts from Cloudflare-hosted domains.
Gamaredon introduced six new malware tools based on PowerShell and VBScript, aimed at achieving stealth, persistence, and lateral movement within networks. The threat actor updated existing tools with improved obfuscation and advanced data exfiltration techniques. Gamaredon concealed most of its command-and-control (C2) infrastructure behind Cloudflare tunnels and increasingly relied on third-party services such as Telegram, Telegraph, Dropbox, and DNS-over-HTTPS to shield its operations.
UAC-0226, a cyber-espionage group known for its targeting of Ukrainian military, law enforcement, and local government entities, has upgraded its info-stealing malware Giftedcrook with intelligence gathering capabilities. While original version of Giftedcrook focused on browser data theft, the next variant, version 1.2, introduced file system access, encrypted communications, and archive encryption. Version 1.3, the most recent and sophisticated, includes targeted search of files modified in the last 45 days, suggesting a clear focus on obtaining fresh intelligence.
North Korean threat actors are targeting Web3 and cryptocurrency platforms using Nim-compiled malware in a sophisticated campaign. The malware uses process injection and encrypted WebSocket (wss) communication for stealthy remote control. It also employs a unique persistence mechanism that leverages SIGINT/SIGTERM signal handlers to reinstall itself upon termination or system reboot. AppleScripts are used in the attack chain for initial access and as beacons and backdoors.
The US Department of Justice has launched a major crackdown on a North Korean IT worker scheme designed to fund Kim Jong Un’s regime by placing operatives in remote IT jobs with American companies using false or stolen identities. Authorities unsealed two indictments, arrested one suspect, conducted searches in 16 states, and seized financial accounts and fraudulent websites linked to the operation. The scheme was supported by collaborators in North Korea, the US, China, the UAE, and Taiwan. Microsoft also said it disabled 3,000 email accounts believed to be connected to the fraudulent activity.
Silent Push has uncovered a large-scale Chinese phishing campaign targeting popular retail brands through thousands of fake e-commerce websites. The threat actor created spoofed pages mimicking companies like Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans. The operation also exploited payment platforms such as MasterCard, PayPal, Visa, and Google Pay to steal user credentials and financial information across their network of scam sites.
The Canadian government has ordered Chinese video surveillance giant Hikvision to shut down its operations in Canada, citing national security risks. Mélanie Joly, Canada’s Minister of Industry, announced that Hikvision Canada Inc. must cease all business activities in the country and can no longer sell products to federal institutions.
A June 2025 report from the US Department of Justice Inspector General revealed that the Sinaloa drug cartel, once led by Joaquín “El Chapo” Guzmán, conducted high-level surveillance on FBI personnel. The cartel used a hired hacker to exploit electronic devices, intercept phone calls, and hack surveillance cameras, identifying potential witnesses to target and kill. The tactic, known as ‘ubiquitous technical surveillance’ (UTS), combines various data sources, including visual imagery, communications, financial records, travel data, and online activity, to create detailed profiles.
A recent CIA review reaffirmed earlier findings that Russia interfered in the 2016 US election to help Donald Trump defeat the Democratic Party’s Hillary Clinton. The review, ordered by CIA Director John Ratcliffe, focused on the controversial judgment that Russian President Vladimir Putin aimed to support Trump’s candidacy. It found no reason to retract that conclusion, though it criticized procedural flaws in the original assessment. The 2016 intelligence report had determined that Russia orchestrated a broad hacking and disinformation campaign to damage Clinton and undermine US democracy, an accusation Russia continues to deny. Trump had previously dismissed the findings.
Two new pro-Russian hacktivist groups, IT Army of Russia and TwoNet, have launched coordinated cyberattacks against Ukraine and its allies, according to a report by cybersecurity firm Intel 471. Active since early 2025, the groups coordinate via Telegram, conducting DDoS attacks, website defacements, and data theft. IT Army of Russia has been particularly active, claiming responsibility for attacks on Ukrainian websites and attempting to recruit insiders from Ukraine’s critical infrastructure. Researchers believe the groups may be rebranded versions of known threat actors, though their exact origins remain unclear.
A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. The extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malicious extensions silently exfiltrate wallet secrets. According to Koi Security, the campaign has been active since at least April 2025, with new extensions appearing on the Firefox Add-ons store as recently as last week.
A major mobile ad fraud scheme called IconAds, involving 352 Android apps, has been discovered and disrupted, according to cybersecurity firm HUMAN. The apps displayed hidden, out-of-context ads and concealed their icons to avoid detection and removal. At its peak, the operation generated 1.2 billion ad bid requests daily, with most traffic coming from Brazil, Mexico, and the US. The apps, now removed from the Google Play Store, are linked to a broader family of malware known as HiddenAds or Vapor, which has repeatedly bypassed Google’s defenses since 2019.
A recent report from Okta Threat Intelligence describes how cybercriminals are using generative AI to create convincing phishing websites. The attackers have been observed weaponizing v0, a tool developed by Vercel that allows users to build landing pages and web apps from simple natural language prompts. The malicious actors used v0.dev to create fake login pages mimicking legitimate brands. In separate research, cybersecurity firm Netcraft found out that large language models (LLMs) can be fooled by phishing scams, with the models providing the correct URL only 66% of the time.
A recent study involving Chinese call center staff at Guangxi Power Grid and several universities reveals that AI assistants meant to help customer service representatives (CSRs) often cause more problems than they solve. While the AI tools were designed to reduce tasks like note-taking and memory load during calls, workers reported frequent glitches, inaccurate transcriptions, and faulty number rendering that require manual corrections. Emotion recognition features were also unreliable, often misinterpreting normal speech as negative emotions. As a result, many CSRs found themselves spending extra time verifying and correcting the AI’s output.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Russia-based bulletproof hosting (BPH) provider Aeza Group, accusing the company of supporting cybercriminal operations and global threat actors. Aeza Group is accused of knowingly leasing infrastructure to cybercrime groups including ransomware and infostealer families such as BianLian, RedLine, Meduza, and Lumma. Aeza's infrastructure was reportedly used by the pro-Russian influence operation Doppelganger and the Russia-aligned hacker group Nebulous Mantis (aka Cuba, STORM-0978, Tropical Scorpius, UNC2596), known for deploying the RomCom RAT.
The ransomware group Hunters International announced it is shutting down its Ransomware-as-a-Service (RaaS) operation and is offering free decryptors to help victims recover their data without paying a ransom. In a statement on its dark web site, the group cited “recent developments” as the reason for closing. Despite this announcement, cybersecurity experts believe the group is simply rebranding and shifting tactics, launching a new data theft and extortion-only operation called World Leaks.
Two major investment fraud rings have been dismantled in Spain that defrauded victims of millions of euros. One group ran a shell investment company, promoting fake opportunities in top-tier firms and cryptocurrency through social media. Using tactics similar to ‘romance baiting’ or ‘pig butchering scams’, the criminals exploited trusted brands and fabricated testimonials to deceive victims and lure them into fraudulent investments. The second fraud ring laundered an estimated EUR 460 million in illicit profits through an elaborate scheme involving fake crypto investments. Victims were lured into investing substantial sums, which were then funneled through a web of associates via cash withdrawals, bank transfers, and crypto-transfers.
Also, Spanish police have arrested two individuals in Las Palmas for allegedly engaging in cybercriminal activity, including stealing data from the government. Described as a ‘serious threat to national security,’ the pair targeted high-ranking officials and journalists, leaking some data online. One suspect handled data theft, while the other managed sales and finances through cryptocurrency.
