Information Security News | AI Aggregator

Cybercriminals are manipulating Google search results to display fraudulent contact numbers instead of legitimate ones, creating a sophisticated scam. By purchasing sponsored ads that mimic official listings, users are directed to authentic company websites, unaware that the displayed phone number is fraudulent. This technique exploits vulnerabilities in how search results are rendered, allowing scammers to extract sensitive information from victims who believe they are contacting legitimate customer support.

Scammers are injecting fake tech support phone numbers into legitimate websites, affecting major companies like Apple, PayPal, and Netflix. This tactic, known as search parameter injection or reflected input vulnerability, modifies URLs to display malicious content while maintaining the legitimate domain. Users are advised to verify phone numbers in URLs, watch for high-pressure language, and navigate directly to official sites for support, as scammers often use ads to lure victims.

Scammers are hijacking search results for support from major companies like Netflix and Apple, using SEO manipulation to promote malicious websites. By purchasing ads that lead to real help pages with fake phone numbers, they exploit a reflected input vulnerability in Netflix's search functionality. Victims may unknowingly provide personal information or grant remote access to their computers. Malwarebytes advises vigilance against suspicious URLs and warns that legitimate support will never ask for sensitive information.

Aflac Inc. disclosed a cyber intrusion on June 12, linked to a broader crime spree targeting the insurance industry by the group Scattered Spider. The attack was contained quickly, and Aflac's systems remain operational. The incident involved potential access to sensitive data, including health records and Social Security numbers. Aflac is reviewing affected files and plans to notify regulators and impacted individuals, offering credit monitoring and identity-theft services.

Aflac disclosed a data breach affecting its systems, part of a broader campaign targeting U.S. insurance companies by a sophisticated cybercrime group, likely Scattered Spider. The breach may have involved the theft of personal and health information, including social security numbers. Aflac confirmed no ransomware was deployed. The company activated its cyber incident response protocols and engaged external experts to investigate. Other recent targets of Scattered Spider include MGM Resorts and Philadelphia Insurance Companies.

Aflac disclosed a cyberattack on June 12, potentially impacting its data, following unauthorized network access. The company activated its cybersecurity protocols and contained the intrusion within hours. Aflac, along with Erie Insurance and Philadelphia Insurance Companies, was targeted by a cybercrime campaign, likely by the group Scattered Spider, known for using social engineering tactics. Preliminary findings suggest claims information and personal data may be affected, but no evidence of ransomware has been found.

Aflac reported a cyberattack on June 12, 2023, attributed to a sophisticated cybercrime group using social engineering tactics. The attack potentially impacted claims information, health data, Social Security numbers, and personal information of customers and employees. Aflac contained the attack quickly, and no ransomware was involved. Experts noted a shift in targeting vulnerable individuals and emphasized the need for enhanced security measures, particularly against social engineering and AI-assisted attacks.

Aflac disclosed a security breach on June 12, linked to the cybercrime group Scattered Spider. The unauthorized access did not involve ransomware, and business operations remained unaffected. However, the intruder may have accessed sensitive customer data, including claims information and Social Security numbers. Aflac is engaging third-party cybersecurity experts for incident response. This breach follows similar incidents affecting Erie Insurance and Tokio Marine, prompting warnings for the insurance sector.

Cloudflare neutralized a record-breaking DDoS attack against a hosting provider in the previous month, peaking at 7.3 terabits per second, surpassing the prior record of 6.5 Tbps. The attack lasted 45 seconds, sending over 37.4 TB of data from more than 122,000 IP addresses across 161 countries, primarily from Brazil and Vietnam. The attack involved UDP floods, and Cloudflare utilized automated systems and mitigation rules. Organizations are advised to adopt tailored security measures to prevent DDoS attacks.

In mid-May 2025, Cloudflare thwarted a record DDoS attack peaking at 7.3 Tbps, delivering 37.4 TB of traffic in 45 seconds. The attack, targeting a hosting provider, utilized 99.996% UDP floods and sophisticated amplification techniques, originating from 122,145 IPs across 161 countries. Key sources included Brazil and Vietnam. Cloudflare's autonomous mitigation employed advanced packet sampling and heuristic engines, achieving zero-touch containment without human intervention.

Cloudflare mitigated a record 7.3 Tbps DDoS attack in May 2025, targeting a hosting provider. The attack peaked with 37.4 TB of data in 45 seconds, using 122,145 source IPs from 161 countries. It employed multiple vectors, primarily UDP floods (99.996% of traffic), and exploited legacy services. Cloudflare utilized its 'Magic Transit' service and anycast network to disperse traffic across 477 data centers. Valuable IoCs were added to its DDoS Botnet Threat Feed, urging organizations to subscribe for preemptive blocking.

On Friday, Cloudflare reported a record DDoS attack measuring 7.3 terabits per second, delivering 37.4 terabytes of junk traffic in just 45 seconds. The attack targeted a single IP address, bombarding nearly 22,000 destination ports. Most of the traffic was in the form of User Datagram Protocol (UDP) packets, which can overwhelm a target's resources without requiring a connection handshake. This type of attack can saturate Internet links, leading to denial of service for legitimate users.

A new Android botnet malware named AntiDot poses a significant threat, offering attackers extensive control over infected devices. Marketed by LARVA-398, it operates as a Malware-as-a-Service (MaaS) tool, combining a loader, packer, and botnet infrastructure. AntiDot features capabilities like screen recording, SMS interception, and data exfiltration. It utilizes at least 11 command-and-control servers managing over 3,775 devices, employing sophisticated evasion techniques. The malware supports overlay attacks on cryptocurrency apps, enhancing its targeting flexibility.

More than 3,775 Android devices have been infected with the AntiDot malware-as-a-service botnet across 273 campaigns. Deployed via malicious emails or ad networks, it tricks users into granting accessibility permissions through a fake update bar. Managed by LARVA-398, AntiDot enables phone call monitoring, notification tracking, and is supported by a command-and-control panel for real-time communication. Researchers highlight its scalable design for financial gain, coinciding with the resurgence of the GodFather banking trojan.

Over 16 billion login credentials have been exposed in one of the largest data breaches, affecting platforms like Apple, Gmail, and Facebook. Researchers found at least 30 datasets, each containing up to 3.5 billion records, organized with usernames and passwords, likely stolen via infostealer malware. The data is recent and poses a significant risk for identity theft and targeted phishing. Recommendations for protection include enabling Two-Factor Authentication, using unique passwords, and checking for breaches on HaveIBeenPwned.com.

A leak of 16 billion login credentials from platforms like Apple, Facebook, and Google has been discovered across 30 datasets, posing a severe cybersecurity threat. The data, often from infostealer malware, includes usernames, passwords, authentication tokens, and session cookies. Many datasets were previously accessible via unsecured Elasticsearch instances. The breach enables credential stuffing and phishing attacks, emphasizing the need for robust multi-factor authentication and strong password policies. Organizations should enhance endpoint detection and response measures.

A data breach has exposed 16 billion login credentials from major platforms including Apple, Google, and Facebook. Over 30 databases were compromised, with records containing URLs, usernames, and passwords. The breach may include data from previous incidents. To enhance security, users are advised to enable two-factor authentication (2FA) and check their email on Have I Been Pwned to determine if their credentials have been affected.

The article discusses the implications of a recent discovery of a database containing 16 billion records, including passwords. It emphasizes the importance of not reusing passwords and suggests using password managers for secure storage. It advocates enabling two-factor authentication (2FA) to enhance account security and recommends deleting unused accounts to minimize exposure. The author also highlights the utility of the website "Have I Been Pwned" for monitoring account breaches and suggests considering a fresh start with a new email for better security practices.

Researchers at Cybernews report that 16 billion login credentials have been leaked across 30 datasets, providing cybercriminals with significant access to consumer accounts. The data includes passwords for major platforms like Google, Facebook, and Apple, likely compiled from multiple breaches over time. Infostealers are suspected to be responsible. Users are advised to change passwords, avoid reusing credentials, consider password managers, and enable multifactor authentication to enhance security.

Internet users are urged to change passwords after researchers revealed 16 billion login records from infostealers and leaks. The datasets, briefly exposed on remote servers, include credentials for services like Facebook, Apple, and Google, though no centralized breach occurred at these companies. Experts recommend using password managers and multifactor authentication. The data, primarily from infostealers, highlights the ongoing risk of credential theft and the importance of proactive security measures.

The U.S. Justice Department is seeking to recover over $225.3 million in cryptocurrency linked to scams originating from Vietnam and the Philippines. A civil forfeiture complaint filed in D.C. details how fraudsters used numerous crypto wallets to deceive over 430 victims across multiple states. The investigation, aided by blockchain analysis, revealed a network of accounts tied to Vietnamese nationals operating from a "scam compound." The FBI reported $5.8 billion lost in crypto investment fraud last year.

The U.S. Department of Justice has forfeited over $225.3 million in cryptocurrency linked to investment fraud, marking the largest seizure of illicit crypto in the country. This operation involved the FBI, Secret Service, TRM Labs, and Tether, targeting a blockchain-based money laundering network that defrauded over 400 victims globally. Law enforcement used Last-In-First-Out tracing to identify funds merged into seven USDT wallet groups, which were subsequently frozen and destroyed by Tether, with equivalent amounts reissued to the U.S. government.

Cybersecurity researchers identified 67 trojanized GitHub repositories in a campaign targeting gamers and developers, codenamed Banana Squad. These repositories masquerade as Python hacking tools but deliver malicious payloads. This follows a 2023 campaign involving bogus packages on PyPI. The repositories, linked to account cleaning and game cheat tools, have been removed by GitHub. The trend highlights GitHub's growing role as a malware distribution vector, with multiple campaigns exploiting the platform.

The Banana Squad hacking operation has exploited 67 now-removed GitHub repositories to distribute malware targeting developers. Each compromised GitHub account hosted a single repository, linked to the domains 1312services[.]ru and dieserbenni[.]ru. The attackers used Base64, Fernet, and Hex encryption to hide malicious payloads. Developers are advised to verify repositories, avoid inactive accounts, use source code differential analysis tools, and monitor suspicious domain activity.

DuckDuckGo has launched a new browser edition featuring a Scam Blocker tool to protect users from online scams, including phishing sites and malware. With online fraud costing Americans $12.5 billion in 2024, the Scam Blocker prevents malicious pages from loading and blocks tracker-powered ads to mitigate risks from 'malvertising.' The tool operates without tracking user data, maintaining privacy by keeping a 'dangerous site list' locally. It is available for free on both mobile and desktop.

DuckDuckGo has enhanced its Scam Blocker to protect users from a wider array of online threats, including fraudulent investment sites, scareware, phishing hubs, malware distributors, and malicious ads. This upgrade responds to the FTC's report of $12.5 billion in fraud losses in 2024. The system uses a two-layer architecture for anonymous threat detection, updating a local threat list every 20 minutes and performing encrypted checks for rare threats. The feature is enabled by default and extends to all device traffic for Privacy Pro subscribers.

Krispy Kreme confirmed a data breach affecting thousands of current and former employees and their families, discovered on November 29, 2024. A six-month investigation revealed unauthorized access to sensitive personal information, including Social Security numbers, financial details, and biometric data. While no misuse of the data has been reported, the company is offering credit monitoring services. Krispy Kreme has implemented enhanced security measures and advises vigilance in monitoring financial accounts.

Krispy Kreme disclosed that a November cyberattack compromised data of 161,676 individuals, including sensitive information such as Social Security numbers, financial account details, and biometric data. The breach raised concerns about the company's security practices, particularly the storage of sensitive information together. Krispy Kreme is offering 12 months of credit monitoring and has incurred approximately $4.4 million in cleanup costs. The Play ransomware group claimed responsibility, although ransomware may not have been involved.

Krispy Kreme reported a data breach affecting 161,676 individuals following a cyberattack in November 2024. The stolen data includes Social Security numbers, financial account details, and biometric information. The attack disrupted online ordering and operations, leading to an estimated $5 million in losses. The Play ransomware gang claimed responsibility, with the FBI noting it as one of the most active ransomware groups in 2024. Krispy Kreme has since restored operations but continues to incur related costs.

On November 29, 2024, Krispy Kreme reported a data breach affecting 161,676 individuals, primarily employees and their families. Exposed data includes names, Social Security numbers, financial information, and biometric data. The breach may have resulted from a single database vulnerability. Victims are offered 12 months of credit monitoring. The Play ransomware gang claimed responsibility, asserting the stolen files contain sensitive information, though no evidence of misuse has been confirmed.

A member of the Ryuk ransomware gang was arrested in Ukraine and extradited to the U.S. for charges related to cyberattacks that extorted over $100 million globally. The 33-year-old suspect, arrested in April, was involved in identifying vulnerabilities in corporate networks. Authorities seized over $600,000 in crypto, luxury vehicles, and land. The Ryuk group has conducted over 2,400 attacks since 2018, primarily targeting corporations and critical infrastructure. The extradition follows a broader international crackdown on ransomware actors.

Ukraine's Office of the Prosecutor General announced the extradition of a suspected Ryuk ransomware hacker to the U.S. after an arrest in Kyiv. The hacker faces charges for cyberattacks causing over $100 million in losses. Authorities seized over $600,000 in cryptocurrency, luxury vehicles, and land during the arrest. The individual is on the FBI's Cyber Most Wanted list. The U.S. Department of Justice has not yet confirmed the extradition. This follows a significant international ransomware crackdown in 2023.

BlueNoroff, a North Korea-aligned threat actor, targeted a cryptocurrency foundation employee using deepfake Zoom calls to install backdoor malware on macOS. The attack involved a fake Calendly link leading to a malicious Zoom domain. The employee was tricked into downloading an AppleScript that executed a shell script, disabling logging and installing additional malware. Eight distinct malicious binaries were discovered, including keyloggers and information stealers. Security experts emphasize the need for training to recognize such social engineering attacks.

A North Korean APT group, TA444, is using weaponized Calendly and Google Meet links to deliver malware targeting cryptocurrency organizations. The attack begins with seemingly benign meeting invitations, leading to a sophisticated surveillance and cryptocurrency theft toolkit. Victims are lured into fake meetings featuring deepfakes of company leaders, prompting them to download a malicious Zoom extension. The malware employs advanced evasion techniques and installs multiple malicious binaries for keylogging and wallet theft.

An updated version of the Godfather malware targets Android banking apps, allowing hackers to create virtualized instances of these apps to steal user credentials in real-time. This malware scans infected devices for installed financial apps and launches its clones when users attempt to access them. Currently, attacks are focused on Turkish users, but the threat could expand globally. Recommendations for protection include disabling app installations from unknown sources, using Google Play Protect, and keeping devices updated.

A new version of the Godfather malware has been detected by Zimperium, specifically targeting Turkish Android users. This banking trojan creates virtualized instances of legitimate banking apps in a sandbox, allowing it to exfiltrate login credentials, PIN codes, and unlock patterns without requiring excessive permissions. The malware can also remotely control devices to conduct wire transfers while victims are asleep. While currently observed in Turkey, it poses a potential threat to banking users globally.

A new version of the Godfather Android malware uses virtualization to steal data from over 500 banking, cryptocurrency, and e-commerce apps. It creates isolated environments to execute legitimate app interfaces, enabling real-time credential theft and transaction manipulation. The malware employs a StubActivity to trick Android into running the virtualized app, capturing sensitive data while displaying a fake lock screen. To mitigate risks, users should download apps only from trusted sources and monitor permissions.

A new variant of the GodFather banking malware uses on-device virtualization to hijack legitimate banking and cryptocurrency apps. It creates isolated virtual environments to execute financial fraud, targeting nearly 500 applications, particularly in Turkey. This malware intercepts user interactions in real-time, capturing credentials while users believe they are using genuine apps. It employs advanced techniques to evade detection, undermining trust in mobile applications and enabling complete account takeovers.

Meta Platforms announced the addition of passkey support for Facebook on Android and iOS, enhancing security and ease of login. Passkeys, a passwordless authentication method backed by the FIDO Alliance, will also be available for Messenger soon. This feature allows users to auto-fill payment information with Meta Pay. Passkeys are designed to resist phishing and password theft. Meta previously implemented passkeys for WhatsApp in October 2023 and plans to introduce them for Instagram in the future.

Meta is rolling out passkey support for Facebook on iOS and Android, enhancing security by allowing users to log in using biometrics or a PIN instead of passwords. This change aims to reduce phishing risks and improve user experience. Passkeys will also be available for Messenger and will be used for verifying payments through Meta Pay and securing encrypted message backups. Users can set up passkeys via the Settings menu in the Facebook app.

Meta has launched passkey login for Facebook on iOS and Android, allowing users to sign in using biometric methods like fingerprints or face scans instead of passwords. Passkeys consist of two parts: one stored on the user’s device and the other on Facebook’s server, enhancing security against phishing and hacking. Messenger will soon support passkeys, and WhatsApp already does. Setup involves accessing Settings in the Facebook app and selecting Create Passkey.

Meta plans to introduce passkeys for Facebook on Android and iOS, and for Messenger in the coming months, enhancing user account security. Passkeys, which resist phishing and password spraying attacks, will also facilitate auto-filling payment details for Meta Pay purchases. This follows passkey support added for WhatsApp in October 2023 and April 2024. The announcement comes after Microsoft implemented passkeys for new consumer accounts, with Apple also updating its Passwords app for passkey management.

A British Russia expert, Keir Giles, was targeted in a sophisticated phishing attack that bypassed multi-factor authentication (MFA) using app-specific passwords (ASPs). The attack, likely executed by a Russian state-sponsored group (UNC6923), began on May 22 with a deceptive email from a supposed State Department official. The attackers tricked Giles into generating and sharing an ASP, granting them full access to his email accounts. Google detected the suspicious activity on June 4 and is investigating the incident.

Threat actors linked to Russia, identified as APT29 (UNC6293), exploited Google app passwords to bypass two-factor authentication in a targeted phishing campaign from April to June 2025. They impersonated the U.S. Department of State, using social engineering tactics to convince victims to create and share app passwords. This allowed attackers persistent access to victims' email accounts. Google and Citizen Lab reported the campaign's meticulous planning, including the use of fictitious email addresses to enhance credibility.

A Russian state-sponsored group, UNC6293, exploited Google’s App-Specific Passwords to bypass multi-factor authentication, targeting critics of Russia, including academic Keir Giles. The attackers used a sophisticated social engineering approach, posing as U.S. State Department officials and building trust over weeks. They manipulated Giles into creating an ASP for a fake platform, gaining persistent access to his email. Google recommends high-risk individuals enroll in their Advanced Protection Program to mitigate such attacks.

Russian hackers, identified as UNC6293 and linked to APT29, are using social engineering to extract application-specific passwords (ASPs) from targets, allowing them to bypass multi-factor authentication and access Gmail accounts. The campaign, which targeted experts on Russian politics and the Ukraine war, was highlighted after Keir Giles received a security alert following suspicious activity on his account. This tactic aligns with recent complex Russian cyber operations exploiting lesser-known authentication methods.

A malware campaign targeting Minecraft players has been uncovered by Check Point Research, linked to the Stargazers Ghost Network. This operation uses fake mods and cheats on GitHub to distribute infostealers that compromise credentials and cryptocurrency wallets. The malware evades antivirus detection and has infected over 17,000 systems. Recommendations include downloading mods only from reputable sources and using a separate account for testing. Full indicators of compromise (IoCs) are provided for detection.

Trojanized Minecraft cheat tools on GitHub have been found to install malware that steals credentials and sensitive data. Check Point Research identified around 500 malicious repositories, potentially infecting over 1,500 devices since March. The malware, masquerading as cheat tools, executes a multi-stage attack, collecting data from browsers, cryptocurrency wallets, and applications, and exfiltrating it via Discord webhooks. The operation is linked to Russian-speaking developers in the Stargazers Ghost Network.

Cybercriminals are targeting Minecraft users with advanced malware disguised as fake mods, exploiting the game's popularity. The campaign, active since March 2025, utilizes the Stargazers Ghost Network to create convincing GitHub repositories. The malware, which remains undetected by antivirus solutions, harvests sensitive data like Discord tokens and cryptocurrency credentials. Its design requires Minecraft runtime environments, evading traditional analysis. The infection begins when users install malicious JAR files into their mods directory.

Check Point Research has identified a large-scale operation by the Stargazers Ghost Network targeting Minecraft players through hundreds of malicious GitHub repositories. These repositories impersonate legitimate mods and cheats, aiming to steal login credentials, authentication tokens, and crypto wallet information. The malware, written in Java, evades antivirus detection. The attack occurs in two phases: the first targets Minecraft account tokens and user data, while the second deploys the infostealer “44 Caliber” to extract broader data.

A hacking campaign targeting Minecraft players has been identified, spreading malware disguised as game mods. Active since March 2025, the attack is linked to the Stargazer’s Ghost Network, using distribution-as-a-service methods via GitHub. The malware steals personal data, including passwords and cryptocurrency details, and can take screenshots. Over 1,500 devices have been compromised. Players are advised to download mods only from verified sources, avoid cheats, and keep systems updated.

A data breach at healthcare tech firm Episource has affected 5,418,866 individuals, with hackers accessing sensitive information between January 27 and February 6. Stolen data includes Social Security numbers, health insurance IDs, and medical records. Episource has engaged law enforcement and temporarily shut down its systems to protect customers. The company is coordinating notifications for affected individuals and advises them to monitor benefit statements for unauthorized charges.

Episource, a major US healthcare data provider, confirmed a cyberattack affecting over 5 million patients. The breach, detected on February 6, 2025, involved the theft of sensitive data, including health plans, Medicaid information, medical records, and personal details like Social Security numbers. The attack occurred between January 27 and February 6, 2025. The company notified affected individuals starting April 23, 2025, and advised vigilance against potential scams and impersonation attempts.

A data breach at healthcare services firm Episource exposed information from 5.4 million individuals, as reported to federal regulators. The breach, detected in February, involved unauthorized access to sensitive data, including health insurance details, medical records, and personal information such as Social Security numbers. Episource is notifying affected individuals and working with impacted healthcare organizations. Sharp Healthcare is one affected customer, reporting breaches of over 26,000 individuals.

North Korean-aligned Famous Chollima hackers have launched a campaign using a new Python-based remote access trojan, PylangGhost, targeting Windows and macOS users in the cryptocurrency sector. The group employs fake job recruitment sites impersonating companies like Coinbase to lure victims. The malware can steal credentials from over 80 browser extensions, including cryptocurrency wallets. The campaign primarily affects users in India, with no reported impact on Cisco customers.

Cisco Talos has identified the North Korean-aligned threat actor Famous Chollima targeting cryptocurrency and blockchain professionals in India through phishing campaigns. They have transitioned from the GolangGhost trojan to a new Python variant called PylangGhost, affecting Windows users, while MacOS users still face the Golang version. Organizations are advised to enhance their security measures against Python and Golang malware and educate employees on recognizing phishing attempts.

North Korean hackers, identified as "Famous Chollima," are targeting Indian job applicants in the cryptocurrency sector with malware. Since mid-2024, they create fake job postings to lure candidates to skill-testing sites mimicking legitimate companies like Coinbase and Uniswap. The malware, named "PylangGhost," steals browser credentials and session cookies. This campaign aims to gather data on successful applicants and potentially access devices later when victims are hired.

Asana disclosed that a bug in its AI-powered Model Context Protocol (MCP) tool may have exposed user data to other users for about a month, from early May to June 4, 2025. The leak affected approximately 1,000 customers, potentially revealing sensitive information like project metadata and discussions. Asana is notifying impacted organizations and recommends users review logs, AI summaries, and restrict LLM integration access while pausing auto-reconnections.

Asana fixed a vulnerability in its Model Context Protocol (MCP) server that could have allowed users to access other organizations' data. The issue was identified on June 4, leading to a two-week downtime for maintenance. Asana stated that no evidence suggests the bug was exploited. Customers were notified and required to manually reconnect to the MCP server. Recommendations include enforcing strict tenant isolation and logging LLM-generated queries to enhance security.

CISA has added CVE-2023-0386, a critical vulnerability in the Linux kernel's OverlayFS subsystem, to its Known Exploited Vulnerabilities catalog, warning of active exploitation. This flaw allows local attackers to escalate privileges by manipulating setuid files during file operations across different mount points. Affected systems include various Linux distributions and Red Hat Enterprise Linux versions. Organizations must apply vendor patches by July 8, 2025, or implement alternative mitigations to secure their environments.

CISA has alerted U.S. federal agencies about the exploitation of a high-severity Linux kernel vulnerability (CVE-2023-0386) affecting the OverlayFS subsystem, allowing root privilege escalation. Patched in January 2023, PoC exploits emerged in May 2023, making it easier to exploit. The flaw impacts various Linux distributions using kernel versions below 6.2. Agencies must patch their systems by July 8, as mandated by BOD 22-01. Qualys TRU also reported on two other LPE vulnerabilities affecting major Linux distributions.

Two local privilege escalation vulnerabilities (CVE-2025-6018 and CVE-2025-6019) have been discovered in major Linux distributions, allowing attackers to gain root access. The first flaw affects the PAM framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, while the second, in libblockdev, enables root access via the udisks daemon, present on most Linux systems. Qualys advises immediate patching to mitigate risks, as unpatched systems could lead to severe security breaches.

Cybersecurity researchers from Qualys identified two local privilege escalation (LPE) vulnerabilities in major Linux distributions: CVE-2025-6018 in SUSE's PAM, allowing unprivileged users to escalate to "allow_active," and CVE-2025-6019 in libblockdev via udisks, enabling full root access. Both flaws can be exploited by attackers with active GUI or SSH sessions. A high-severity flaw (CVE-2025-6020) in Linux PAM was also disclosed, allowing privilege escalation via symlink attacks. Patches are recommended.

New variants of the WormGPT hacking tool, powered by AI models Grok and Mixtral, have emerged following the original's shutdown in August 2023. These variants, launched by “xzin0vich” and “keanu,” utilize existing commercial AI systems to generate malicious content like phishing emails and PowerShell scripts. They bypass AI safety measures through sophisticated prompt engineering. Security experts recommend enhanced threat detection, Zero Trust Network Access, and monitoring of unauthorized GenAI tool usage to mitigate risks.

Mistral AI's Mixtral and xAI's Grok have been exploited to create jailbroken AI tools, termed WormGPTs, marketed on cybercrime forums. Mixtral's variant, "WormGPT / 'Hacking & UNCENSORED AI," offers insights on cyberattacks and vulnerability detection. Grok supports the "Uncensored Assistant" on Telegram, enabling phishing email creation and credential theft. Both tools operate on a subscription model, with costs from $631 annually to $5,740 for private setups, as reported by Cato Networks.

Critical vulnerabilities in Veeam's backup software allow remote code execution on backup servers, posing significant risks. CVE-2025-23121 has a CVSS score of 9.9, affecting domain-joined servers. CVE-2025-24286 (7.2) allows Backup Operators to modify jobs for code execution. CVE-2025-24287 (6.1) enables local users to execute code with elevated permissions. Patches are available; organizations should update to Veeam Backup & Replication 12.3.2 and Veeam Agent for Microsoft Windows 6.3.2 immediately.

Veeam has released patches for a critical RCE vulnerability (CVE-2025-23121) in its Backup & Replication software, rated 9.9 CVSS. This flaw affects all version 12 builds, including 12.3.1.1139, and is addressed in version 12.3.2 (build 12.3.2.3617). Additionally, CVE-2025-24286 (7.2 CVSS) and CVE-2025-24287 (6.1 CVSS) vulnerabilities have also been patched. Rapid7 reported that over 20% of its 2024 incident responses involved Veeam, highlighting the need for immediate updates.

Veeam has released patches for a critical remote code execution (RCE) vulnerability, CVE-2025-23121, affecting domain-joined Backup & Replication servers, with a CVSS score of 9.9. This follows previous vulnerabilities, CVE-2025-23120 and CVE-2024-40711, also linked to BinaryFormatter. Veeam plans to eliminate BinaryFormatter in version 13, expected in H2 2025. The latest update addresses the RCE flaw and two other code execution issues. Ransomware groups have exploited these vulnerabilities in attacks.

Researchers are urging Veeam Backup & Replication users to upgrade to the latest version following a patch for a critical remote code execution vulnerability (CVE-2025-23121). This flaw allows authenticated domain users to execute code on backup servers. Previous patches were bypassed, prompting the new update. Veeam emphasizes the importance of timely patching to prevent exploitation, as over 20% of their incident response cases in 2024 involved Veeam vulnerabilities.

SuperCard malware has targeted Android users in Russia, utilizing NFCGate-based techniques and social engineering to install itself. It compromises payment systems to facilitate fraudulent transactions, affecting over 175,000 devices and resulting in losses of nearly $5.5 million. The malware has been linked to attacks on U.S., European, and Australian banks, and is promoted via Telegram channels. Researchers note its distribution by Chinese-speaking actors as part of a malware-as-a-service model.

Cybersecurity experts have identified a new malware strain named “SuperCard,” which exploits hacked Android devices to steal payment card data. First detected in April 2025 by Cleafy, it targets European banking customers and operates as part of a malware-as-a-service platform. The malware uses social engineering to trick users into installing it, then captures NFC transaction data while allowing legitimate payments to proceed. Over 175,000 devices in Russia have been compromised, with damages exceeding 432 million rubles.

A new ransomware strain named Qilin has emerged, targeting Windows, Linux, and ESXi systems across various sectors, including finance and healthcare. It employs a double-extortion model, demanding ransoms between $500,000 and $3 million. Qilin uses advanced evasion techniques, including phishing emails and shellcode injection, and implements AES-256 and RSA-4096 for encryption. Its modular architecture allows it to adapt to different environments, complicating detection and attribution efforts.

Qilin ransomware has emerged as the leading global ransomware threat, amassing over $50 million in ransom payments in 2024. Initially developed as 'Agent' in 2022, it targets critical infrastructure in over 25 countries, particularly VMware ESXi systems. Linked to North Korean actors, it features a “Call Lawyer” service. The U.S. Department of Health and Human Services reports losses of $6 million to $40 million per incident. Defense recommendations include immutable backups, Zero Trust Architecture, and vulnerability patch management.

The Qilin ransomware group has introduced a "Call Lawyer" feature to its affiliate panel, aiming to pressure victims into paying larger ransoms. Active since October 2022, Qilin has become a leading ransomware group, with 72 victims reported in April 2025. The group offers extensive support and advanced tools, including DDoS capabilities and spam services. This expansion follows the decline of other ransomware groups, positioning Qilin as a comprehensive cybercrime platform.

The Qilin ransomware group has introduced a "Call lawyer" feature for affiliates, allowing them to summon legal experts during ransom negotiations. This service includes legal assessments of stolen data, potential violations, and cleanup costs. Additionally, Qilin claims to have an in-house team for crafting blog posts to pressure victims. Cybereason reports Qilin is becoming a dominant ransomware-as-a-service (RaaS) group, noted for high-profile attacks on critical infrastructure since its emergence in 2022.

A security breach at email hosting provider Cock.li has compromised data from over 1 million users, specifically targeting its Roundcube webmail platform. The breach exposed email addresses, login timestamps, and user settings, but not passwords or email content. Cock.li has discontinued the Roundcube service and advised users to change passwords. The breach was linked to CVE-2021-44026, an SQL injection vulnerability. Cock.li plans to remove Roundcube permanently and may explore alternative webmail solutions.

A breach of the German privacy-focused email hosting server Cock.li has compromised the information of over 1 million users since 2016. This incident is linked to vulnerabilities in the deprecated Roundcube webmail platform. The report highlights the significant impact on user data due to the exploitation of these vulnerabilities. Recommendations for affected users were not specified in the article.

Cock.li, a German email hosting provider, was hacked, resulting in over a million user records being sold on the dark web. The breach involved a vulnerability in the retired Roundcube webmail platform, affecting all users who logged in since 2016. The stolen data includes email addresses, login timestamps, and user preferences for approximately 1,023,800 users, along with 93,000 contact entries from about 10,400 users. Users are advised to change their passwords.

The UK Information Commissioner's Office fined 23andMe £2.31 million ($3.14 million) for inadequate cybersecurity practices following a data breach in 2023 that exposed genetic data of millions. The breach involved a credential stuffing attack that began in April 2023, with 23andMe failing to implement multifactor authentication and other security measures. The company did not fully investigate the breach until October 2023, six months after it started, impacting nearly 156,000 U.K. residents.

23andMe was fined £2.3m by the UK Information Commissioner’s Office for failing to protect the personal data of over 150,000 UK residents during a cyberattack in 2023. The breach exposed sensitive information, including health reports and family histories, affecting 7 million individuals. The company was criticized for inadequate security measures, including poor user authentication. Following the incident, 23andMe has committed to enhancing data protection and offering customers identity theft monitoring.

The ICO has fined 23andMe £2.31 million for data protection failures after a credential stuffing attack in 2023 compromised the personal information of 155,592 UK users. The investigation revealed inadequate security measures, including the absence of multi-factor authentication and poor incident response. Despite multiple warning signs, 23andMe only initiated a full investigation in October 2023 after stolen data was found for sale online. The company is expected to implement necessary security improvements by the end of 2024.

The U.K. Information Commissioner’s Office fined 23andMe £2.31 million ($3.1m) for failing to protect personal and genetic data during a 2023 breach affecting over 155,000 U.K. residents. Hackers accessed accounts using stolen credentials, exploiting the lack of multi-factor authentication. The breach compromised data for more than 6.9 million users. In response, 23andMe implemented mandatory multi-factor authentication and is in contact with its trustee following its bankruptcy filing.

23andMe has been fined £2.31 million ($3.13 million) by the UK's ICO for a 2023 data breach affecting nearly 7 million users. The breach, caused by inadequate security measures including lack of MFA and poor password policies, allowed attackers to access 14,000 accounts via credential stuffing. The ICO noted a five-month delay in 23andMe's response. The breach exposed sensitive data of 155,592 UK residents. 23andMe is currently in Chapter 11 bankruptcy, raising questions about fine payment.

The UK Information Commissioner's Office fined 23andMe £2.31 million for serious security failings leading to a data breach in 2023. The breach exposed sensitive data of 4.1 million UK and German residents, including health reports and personal information, due to credential stuffing attacks. The data was leaked on forums, prompting 23andMe to implement two-factor authentication and password resets. The breach has resulted in class-action lawsuits and a $30 million settlement in 2024.

The ICO fined 23andMe £2.31 million ($3.1 million) for failing to secure UK users' personal data following a 2023 cyberattack that affected approximately 14,000 individuals. An investigation revealed serious security failings, including inadequate measures and a delayed response to the breach. The exposed data, including sensitive ancestry and health information, increases risks of identity theft and sophisticated social engineering attacks. Users are advised to remain vigilant against unexpected communications.

Scania confirmed a cybersecurity incident where attackers used compromised credentials to breach its Financial Services systems, stealing insurance claim documents. The breach occurred on May 28, 2025, via credentials stolen by infostealer malware. Attackers extorted Scania employees, threatening to leak data unless demands were met. The compromised application is now offline, and an investigation is underway. Scania reported limited impact and has notified privacy authorities.

A threat actor named “hensi” claims to have breached Scania Financial Services’ insurance subdomain, allegedly stealing around 34,000 files. The hacker asserts full system compromise and is selling the data on cybercriminal marketplaces, emphasizing exclusivity in transactions. The breach raises concerns about vulnerabilities in financial services cybersecurity, particularly regarding sensitive customer information and compliance with regulations like GDPR. Security analysts recommend enhanced subdomain monitoring and regular vulnerability assessments.

Scania, a Swedish commercial vehicle manufacturer, confirmed a data breach involving the theft of insurance claim documents from its financial services arm. The breach occurred between May 28 and 29 through stolen credentials from a third-party IT partner, leading to the exfiltration of personal, financial, and medical information. Following the breach, Scania employees received extortion emails from the attacker and a compromised third-party email, with the data ultimately leaked by the actor "Hensi.

Swedish automotive manufacturer Scania confirmed a cyberattack linked to an external IT partner, where hackers accessed sensitive customer data via stolen credentials. The breach occurred on May 28-29, 2025, allowing the download of insurance-related documents. The attackers attempted to extort Scania for ransom and later advertised the stolen database on a dark web forum. The extent of the data compromised and the number of affected individuals remain unknown.

Pro-Israel hacktivist group Predatory Sparrow claimed responsibility for hacking Iran's Bank Sepah, alleging it funded terrorism and military programs. Reports indicate widespread banking disruptions in Iran, with several branches closed and customers unable to access accounts. The attack coincides with escalating conflict between Israel and Iran. Cybersecurity experts note Predatory Sparrow's history of impactful cyberattacks, including previous incidents affecting Iranian infrastructure.

Pro-Israel hacktivist group Predatory Sparrow claimed responsibility for hacking Iran’s Bank Sepah, alleging the attack destroyed data linked to the Islamic Revolutionary Guard Corps. Reports indicate widespread banking disruptions in Iran, with several branches closed and customers unable to access accounts. The attack coincides with escalating military conflict between Israel and Iran. Cybersecurity experts note Predatory Sparrow's history of impactful cyberattacks on Iranian infrastructure.

Bank Sepah's website is offline following a cyberattack claimed by the pro-Israel hacktivist group Predatory Sparrow. The attack has disrupted services, closing branches and preventing customer access to accounts. The group stated it targeted the bank for financing Iran's military and terrorist activities. This incident underscores the increasing role of cyber warfare amid escalating Israel-Iran tensions. The Central Bank of Iran's website is also down, indicating broader infrastructure impacts.

Iran has throttled internet access to hinder Israel's cyber operations following missile attacks between the two nations. The Iranian Cyber Police stated the slowdown is temporary and controlled. Concurrently, the pro-Israeli group Predatory Sparrow claimed responsibility for a cyber attack on Iran's Bank Sepah, disrupting its services. The U.S. Department of State is seeking information on Iranian hackers targeting critical infrastructure using IOCONTROL malware. Cyber Av3ngers, linked to Iran's IRGC, has been implicated in these activities.

Internet access in Iran has been intentionally disrupted amid escalating tensions with Israel, described as a measure to maintain network stability during alleged Israeli cyberattacks. A pro-Israel group, Predatory Sparrow, claimed responsibility for attacks on an Iranian bank and cryptocurrency exchange Nobitex, resulting in significant outages and the theft of $81.7 million in digital assets. Iranian officials accused Israel of waging a “massive cyber war,” while citizens faced difficulties accessing essential services and news.

Hackers targeted Iran's largest crypto exchange, Nobitex, draining at least $90 million from its hot wallet. The exchange reported unauthorized access and is investigating the incident, with its website and app currently unavailable. The pro-Israel group Predatory Sparrow claimed responsibility, alleging Nobitex financed terrorism and evaded sanctions. The attack coincides with escalating military tensions between Israel and Iran, with reports of a broader cyber offensive against Iranian infrastructure.

The Israel-linked hacker group Predatory Sparrow has targeted Iran's financial system, claiming responsibility for attacks on the crypto exchange Nobitex and Sepah Bank. They destroyed over $90 million in Nobitex holdings, accusing it of facilitating sanctions violations and terrorism financing. The group also claimed to have wiped all data from Sepah Bank, disrupting online banking and ATMs. The attacks reflect political motivations, with funds moved to unmanageable crypto addresses, effectively burning them.

On Wednesday, a pro-Israel hacktivist group, Predatory Sparrow, stole over $90 million from Nobitex, Iran's largest cryptocurrency exchange, marking the second cyberattack on Iran's financial sector in two days. The group claimed Nobitex finances terrorism and threatened to leak its source code. Researchers confirmed the funds were sent to vanity addresses, effectively burning them as a political statement. Nobitex's website is offline, and Iran has reduced internet speeds to mitigate further attacks.

On June 18, 2025, Nobitex, Iran's largest cryptocurrency exchange, was exploited, resulting in over $90 million in losses across various cryptocurrencies. The attack, claimed by the pro-Israel group Gonjeshke Darande, appears politically motivated. Nobitex has been linked to illicit activities, including transactions with sanctioned entities. In response, Nobitex assured users of fund safety and moved Bitcoin to cold storage. The Central Bank of Iran has since imposed operating hour restrictions on domestic exchanges to enhance oversight.

On June 18, 2025, the pro-Israel hacking group "Predatory Sparrow" claimed responsibility for a cyberattack on Iran's largest crypto exchange, Nobitex, stealing over $90 million in cryptocurrency and burning the funds in vanity addresses. Nobitex reported unauthorized access to its infrastructure and hot wallet on June 19. The attack is politically motivated, targeting the exchange's ties to the IRGC and Iranian leadership. Nobitex's website remains offline as investigations continue.

Iran's government has reportedly shut down internet access to prevent "enemy abuse," following claims of cyberattacks linked to Israel. Internet traffic in Iran dropped significantly, with Cloudflare and NetBlocks confirming the outage. The group Predatory Sparrow, believed to have Israeli ties, claimed responsibility for disrupting Bank Sepah and Iranian crypto exchange Nobitex. This action coincided with remarks from an Israeli military official hinting at upcoming cyber offensives. Access to .IR websites is currently unavailable.

The Israel-linked hacker group Predatory Sparrow has targeted Iran's financial system, claiming responsibility for attacks on the crypto exchange Nobitex and Sepah bank. They destroyed over $90 million in Nobitex holdings, accusing it of facilitating sanctions violations and terrorism financing. In a separate incident, they claimed to have wiped all data from Sepah bank, linking it to the Iranian military. The group warns that associations with the regime's financial infrastructure pose risks to assets.

Iran's state TV was hacked to air protest videos against the government, with accusations directed at Israel. Concurrently, Bank Sepah and Nobitex, Iran's largest crypto exchange, were breached, resulting in over $90 million stolen. Cybersecurity firm Radware noted a surge in DDoS attacks against Israel, with 40% of hacktivist activity targeting the nation. Companies are advised to enhance vigilance as critical infrastructure may be at risk amid escalating cyber conflicts between Iran and Israel.

Iran's government confirmed a near-total internet blackout to protect against perceived Israeli cyberattacks, citing threats to critical infrastructure and recent hacks on Bank Sepah and cryptocurrency exchange Nobitex by the hacker group Predatory Sparrow. The shutdown has severely limited communication for Iranians amid ongoing conflict, with all forms of external contact disrupted. Some individuals manage to bypass restrictions using virtual private servers, but access remains largely unavailable.

Critical vulnerabilities in Sitecore Experience Platform expose over 22,000 instances to full system compromise. Researchers found hardcoded credentials, specifically a weak password ("b") for the sitecore\ServicesAPI user account, affecting versions 10.1 and above. Attackers can exploit post-authentication vulnerabilities for remote code execution via file upload flaws. Sitecore has issued patches, and organizations are urged to verify versions and apply updates promptly.

A chain of vulnerabilities in Sitecore Experience Platform (XP) allows remote code execution (RCE) without authentication. Discovered by watchTowr, it involves a hardcoded password for an internal user, enabling unauthorized access. Attackers can exploit a Zip Slip flaw to upload malicious files and execute code. A third vulnerability in the PowerShell Extensions module further facilitates RCE. Affects Sitecore XP versions 10.1-10.4, with over 22,000 exposed instances. Patches were released in May 2025, but exploitation risk remains high.

Security researchers from watchTowr disclosed three vulnerabilities in the Sitecore Experience Platform, used by major companies like United Airlines and Microsoft. One flaw involves hardcoded internal account passwords set to "b," easily brute-forced. The second is a path traversal vulnerability allowing remote code execution (RCE) via a ZIP upload. The third is an unrestricted file upload flaw, also leading to RCE, particularly when the Sitecore PowerShell Extension is installed. Over 22,000 instances are exposed.

The Sitecore CMS has a critical security flaw involving a hardcoded password for an internal user, allowing threat actors to gain authenticated access to internal endpoints. This vulnerability, combined with a "Zip Slip" flaw in the Upload Wizard, enables attackers to upload malicious files, potentially leading to remote code execution (RCE). All Sitecore versions from 10.1 to 10.4 are affected, with around 22,000 instances exposed. Users are urged to patch immediately, as no abuse has been reported yet.

More than 22,000 instances of Sitecore Experience Platform are vulnerable to takeover due to a chain of three security flaws. The first flaw involves hardcoded credentials allowing brute-force attacks. The second is a path traversal vulnerability enabling remote code execution (RCE). The third flaw involves unrestricted file uploads. Attackers can exploit these vulnerabilities, particularly if the Sitecore PowerShell Extension is installed. Sitecore has issued patches for all identified flaws.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that three TP-Link router models (TL-WR940N, TL-WR841N, TL-WR740N) are vulnerable to a command injection flaw (CVSS score 8.8). This vulnerability allows unauthorized command execution via the web interface. Affected routers, all at end-of-life with no further updates, must be removed by federal agencies by July 7, 2025. Users are advised to replace these routers and consider enhanced security measures.

CISA has flagged a command injection vulnerability (CVE-2023-33538) affecting multiple end-of-life TP-Link router models, including TL-WR940N and TL-WR841N, with a severity score of 8.8/10. This vulnerability allows attackers to execute arbitrary commands. As these models no longer receive updates, users are urged to replace them by July 7, 2025. The vulnerability poses significant risks, especially for routers with remote access features. CISA recommends discontinuing use of these devices.

The article discusses the case of Vance Boelter, charged with the murders of Minnesota Rep. Melissa Hortman and her husband. An FBI affidavit revealed a notepad in Boelter's SUV listing various people search sites, which can expose personal information. Notably, Hortman's address was publicly available. Senator Ron Wyden emphasized the danger of data brokers, stating they pose a risk to public safety. The article highlights the potential misuse of such data in acts of violence against public officials.

A list of 11 data broker websites was found in the SUV of Vance Boelter, who allegedly murdered Minnesota state Rep. Melissa Hortman and her husband. The FBI affidavit revealed that Boelter had detailed notes on accessing personal information, including addresses of over 45 officials. This case highlights the dangers posed by data brokers, prompting renewed calls for regulation. Lawmakers are seeking to advance legislation to restrict data brokers following this incident, which underscores the risks associated with publicly available personal data.

A new variant of the Flodrix botnet is exploiting a critical vulnerability (CVE-2025-3248, CVSS 9.8) in Langflow, a Python framework for AI applications, to launch DDoS attacks. Attackers execute downloader scripts on compromised servers to install Flodrix, which communicates with a remote server for commands. The flaw allows unauthenticated code execution via crafted HTTP requests. The vulnerability was patched in March 2025. Flodrix is an evolution of the LeetHozer botnet, featuring enhanced obfuscation and new DDoS attack types.

Internet-exposed instances of the Python-based AI framework Langflow are being targeted by the Flodrix botnet due to a critical remote code execution vulnerability (CVE-2025-3248). This flaw allows attackers to gain remote shell access and execute commands, leading to the deployment of Flodrix, which conducts DDoS attacks and other malicious activities. Recommendations include updating Langflow to version 1.3.0 or later, restricting public endpoint access, and monitoring for indicators of compromise.

Hackers linked to the group Scattered Spider are now targeting the insurance industry after previously attacking U.K. and U.S. retailers since April. Google researchers report multiple confirmed incidents in the insurance sector, with a surge in activity noted recently. Erie Insurance is investigating a suspected cyberattack discovered on June 7, which caused a network outage. The company is collaborating with law enforcement and security teams to assess the incident's impact and has warned customers against sharing personal information.

Scattered Spider, a cybercrime group tracked as UNC3944, has shifted focus from retail to the insurance industry, impacting multiple U.S. insurance companies. Erie Insurance reported unusual network activity on June 7, activating incident response protocols. The nature of the attack remains undisclosed, but systems are offline, hindering customer access. The company is collaborating with law enforcement and cybersecurity experts for a thorough investigation. Mandiant noted that attacks on the insurance sector began approximately a week and a half ago.

Cyber-crime group Scattered Spider has shifted focus to the insurance sector, targeting US insurance companies following ransomware attacks on retailers. Google warns the industry to be vigilant against social engineering schemes. Erie Insurance reported a network outage on June 8, linked to an information security event, while Philadelphia Insurance Companies experienced similar issues starting June 9. Both companies are conducting forensic investigations and working with law enforcement to address the breaches.

Google's Threat Intelligence Group warns that the cybercrime group Scattered Spider (UNC3944) is now targeting U.S. insurance firms, employing advanced social engineering tactics. The group has a history of impersonating employees and bypassing multi-factor authentication. They are also collaborating with the DragonForce ransomware cartel. Recommendations for mitigation include enhancing authentication, enforcing identity controls, implementing access restrictions, and training help desk personnel to verify employee identities.

Hacking collective Scattered Spider (UNC3944) has shifted its focus to the U.S. insurance sector, targeting several firms after previous attacks on retailers. The Google Threat Intelligence Group reported multiple intrusions, advising heightened vigilance against social engineering schemes aimed at help desks and call centers. This activity follows a cyberattack on Erie Insurance, which experienced outages earlier this month. Further details on the attacks are still under investigation.

The Scattered Spider cybercrime gang has shifted its focus from high-end retailers to US insurance companies, according to Google Threat Intelligence Group. Multiple intrusions have been reported, with Erie Insurance and Philadelphia Insurance Company suspected victims. The gang employs social engineering tactics, including fake helpdesk calls, to gain access to systems and deploy DragonForce ransomware. Organizations are advised to enhance employee awareness of phishing and social engineering to mitigate risks.

On June 16, Google Threat Intelligence Group reported multiple intrusions into the U.S. insurance industry linked to the Scattered Spider ransomware group, shifting from their previous focus on retail. Erie Insurance experienced a cyberattack on June 7, while Scania Financial Services allegedly had 34,000 files stolen. Scattered Spider targets sectors for ransomware and data theft, exploiting complex digital environments and social engineering vulnerabilities. Insurance firms' reliance on help desks makes them particularly susceptible to attacks.

A warning from Google's Threat Intelligence Group indicates that the Scattered Spider hacker group has shifted its focus from retail to the insurance industry, with multiple intrusions reported in the U.S. Insurance firms, including Erie Insurance and Philadelphia Insurance Companies, have experienced cyber incidents leading to network outages. Scattered Spider is known for social engineering attacks targeting IT departments. The group has previously attacked major retailers and is linked to the threat actor UNC3944.

A series of cyberattacks attributed to SCATTERED SPIDER has targeted major organizations in the UK and US, utilizing aggressive social engineering tactics, particularly vishing, to deceive IT support teams. Active since 2022, they collaborate with DragonForce for ransomware deployment. A notable incident involved a 2023 attack on MGM Resorts, leveraging simple phone-based manipulation. Recommendations include enhancing help desk verification protocols and implementing phishing-resistant MFA solutions.

A data breach involving Freedman HealthCare has resulted in the compromise of 52.4 GB of data, including 42,204 files. The World Leaks hacking operation, previously known as Hunters International, is responsible for this breach and has threatened to expose the stolen information by Tuesday morning.

Freedman HealthCare, a U.S. health data management provider, reportedly suffered a significant data breach involving 52.4 GB of data and 42,204 files, allegedly compromised by the World Leaks hacking group. If confirmed, this breach could rank among the largest in recent healthcare history. Freedman HealthCare collaborates with California and Delaware on healthcare payments and claims databases, impacting millions. World Leaks, formerly known as Hunters International, has a history of targeting critical services.

A cybercrime gang named World Leaks claims to have breached Freedman HealthCare, a US consulting firm handling sensitive health data. They allege to have exfiltrated 42,204 files totaling over 50GB, although the nature of the files and ransom amount remain undisclosed. Freedman HealthCare has not confirmed the breach. World Leaks operates on an "extortion-as-a-service" model and is believed to be a rebrand of Hunters International, which has a history of targeting notable organizations.

A critical authorization bypass vulnerability (CVE-2025-3464) in ASUS Armoury Crate allows attackers to escalate privileges on Windows systems via hard link manipulation. The flaw, affecting the AsIO3.sys driver (v5.9.13.0), has a CVSS score of 8.8. Discovered by Cisco Talos, it was reported on February 18, 2025, and patched by ASUS on June 16, 2025. Users are urged to update immediately to mitigate risks associated with this vulnerability, which can lead to complete system compromise.

A high-severity vulnerability in ASUS Armoury Crate, tracked as CVE-2025-3464, allows attackers to escalate privileges to SYSTEM on Windows machines. The flaw arises from hardcoded SHA-256 hashes and a PID allowlist in the driver, enabling exploitation through a benign app linked to a malicious executable. This could lead to complete OS compromise. Users with Armoury Crate versions 5.9.9.0 to 6.1.18.0 are advised to update immediately, though active exploitation has not been observed.

Asus has patched CVE-2025-3464, a high-severity authentication bypass flaw in Armoury Crate, affecting versions 5.9.9.0 to 6.1.18.0. Discovered by Cisco Talos, the vulnerability allows unauthorized driver access, potentially leading to full device takeover. Users must update to the latest version by navigating to Settings > Update Center > Check for Updates. Asus found no evidence of exploitation but strongly recommends immediate updates to mitigate risks. The flaw has a severity score of 8.4/10.

The Washington Post's email accounts of multiple journalists were hacked in a targeted cyberattack, suspected to involve a foreign government. Discovered during routine monitoring, the breach prompted immediate security measures, including a mandatory password reset for all staff. A forensic investigation is underway to assess the extent of data accessed, particularly focusing on reporters covering China-related issues. The attack highlights vulnerabilities in news organizations to state-sponsored cyber espionage.

The Washington Post experienced a cyberattack affecting journalists, particularly those covering national security and economic policy. The attack highlights the risks journalists face, including zero-click exploits from commercial surveillance vendors. Following the discovery of the breach last Thursday, the newspaper reset login credentials for all employees. The identity of the attackers remains unknown.

On June 5, 2023, United Natural Foods (UNFI) suffered a cyberattack, leading to significant disruptions in grocery supply chains across North America. The company is working to restore its electronic ordering systems but has not disclosed the attack's nature. Whole Foods, a primary distributor for UNFI, reported shelf shortages due to the outage. UNFI has not provided a recovery timeline, and various grocery stores continue to experience supply issues.

A cyberattack targeted United Natural Foods Inc (UNFI), a major food distributor, causing widespread delays and system shutdowns. UNFI is making significant progress in restoring electronic ordering systems but warns of potential ongoing delays. The attack, suspected to be ransomware, led to the shutdown of its entire network to prevent further encryption and protect sensitive data. Whole Foods, a primary customer, has been notably affected. The incident highlights ongoing cybersecurity threats to retailers in 2025.

United Natural Foods, Inc. (UNFI) suffered a cyberattack on June 6, leading to a complete shutdown of its online ordering system. As of June 8, grocers like Darlings Grocery and Orcas Food Co-op faced supply challenges, relying on alternative suppliers. Whole Foods Market also experienced delivery delays. UNFI is working to restore its electronic systems but has not provided a timeline. Pharmacies in its Cub grocery chain have resumed filling prescriptions following the disruptions.

International law enforcement has dismantled the Archetyp dark web drug marketplace, arresting its alleged 30-year-old German administrator in Barcelona. The operation, conducted from June 11-13, involved raids across multiple countries, targeting moderators and vendors. Archetyp, operational since 2020, had over 600,000 users and processed approximately €250 million in transactions. Authorities seized assets worth €7.8 million, including luxury vehicles and cryptocurrency, disrupting a major supply line for dangerous substances.

International law enforcement dismantled the Archetyp Market, a major darknet marketplace, on June 11, 2025, arresting its 30-year-old German administrator in Barcelona. The operation, led by German, Spanish, and Dutch authorities, seized €7.8 million in assets and extensive digital evidence. Archetyp facilitated the sale of various narcotics, processing €250 million in transactions via Monero cryptocurrency. The Dutch police also seized the server infrastructure, effectively shutting down the platform.

Operation Deep Sentinel led to the takedown of Archetyp, a major dark web drug marketplace, with the arrest of its 30-year-old German admin in Barcelona. The operation involved over 300 officers across Germany and Sweden, resulting in seven arrests and the search of 20 properties. Authorities seized 47 smartphones, 45 computers, and narcotics. Archetyp had over 600,000 users and facilitated transactions exceeding €250 million, primarily using Monero for payments.

Europol dismantled Archetyp Market, a dark web drug marketplace operational for over five years, with more than 600,000 users and $280 million in transactions. The operation, conducted from June 11-13 across five European countries, resulted in the arrest of a 30-year-old German national in Spain and the seizure of $9 million in assets. The takedown disrupts a major supply line for dangerous substances, including fentanyl, and involved extensive investigative work by multiple law enforcement agencies.

A malware campaign targeting the Python Package Index (PyPI) has been identified, with the malicious package "chimera-sandbox-extensions" designed to steal AWS credentials, CI/CD pipeline data, and more. The attack employs a multi-stage sequence connecting to command-and-control servers using a domain generation algorithm. JFrog analysts discovered the package and reported it for removal. The malware's targeted nature indicates a deep understanding of enterprise security architectures, posing significant risks to organizations with cloud infrastructure.

A malicious package named “Chimera-Sandbox Extensions” was uploaded to the PyPI repository, targeting credentials and sensitive information, including Jamf MacOS data and AWS tokens. This incident highlights risks in open-source software, as compromised packages can infect numerous applications. Experts recommend using curated package registries like JFrog Artifactory for better control over dependencies and emphasize the need for a multi-layered defense strategy to mitigate such supply chain attacks.

WestJet is investigating a cyber incident that has disrupted its website and mobile app, affecting user access. The airline has activated internal teams and is collaborating with law enforcement and Transport Canada to address the situation. While operations remain stable, users may experience intermittent issues. No details on the attackers or the nature of the breach have been disclosed, but the disruption suggests a potential ransomware attack. Regular updates will be provided as more information becomes available.

Canadian airline WestJet is experiencing "intermittent interruptions or errors" on its app and website due to a cybersecurity incident first noted on June 13. The airline has engaged external experts and law enforcement to investigate, though it has not confirmed malicious intent. WestJet advises caution when sharing personal information but states that flight operations remain unaffected. Customers have raised concerns about password changes, which have not been addressed. Regular updates will follow.

Anubis ransomware, launched in early 2025, features a destructive "wipe mode" that permanently erases file contents, making recovery impossible even after ransom payment. Evolving from the Sphinx variant, Anubis targets sectors like healthcare and engineering in Australia, Canada, Peru, and the U.S. It uses spear phishing for initial access and employs sophisticated privilege escalation. The wipe mode, activated via the /WIPEMODE parameter, erases files while maintaining their structure, ensuring total data loss.

Anubis Ransomware, active since December 2024, features a dual-threat capability to encrypt and permanently erase files, making recovery impossible even after ransom payment. Targeting sectors like healthcare and hospitality in Australia, Canada, Peru, and the U.S., it employs phishing emails for initial access. The ransomware's affiliate program offers an 80-20 revenue split. Its wiper feature reduces file sizes to 0 KB, increasing pressure on victims to comply.

Anubis ransomware has introduced a file-wiping feature that irreversibly destroys files by reducing them to 0 KB, complicating recovery efforts. This tactic increases pressure on victims during ransom negotiations. Trend Micro's report highlights that ransomware actors typically exfiltrate sensitive data before encryption and demand payment for decryption keys. Organizations are advised to enhance security measures and maintain air-gapped backups to mitigate risks. Additionally, DDoS attacks may accompany ransom demands.

Ongoing cyber warfare between Israel and Iran may lead to increased cyberattacks against the U.S., as noted by cybersecurity experts. Iran could target U.S. critical infrastructure, which is less resilient than Israel's. Experts recommend U.S. companies remain vigilant to avoid becoming targets. Iran may also collaborate with Russia and China in its cyber campaign. However, there are concerns that Iran might exaggerate the success of its cyber intrusions, with potential disruptive attacks anticipated in both Israel and the U.S.

Security researchers warn that the Iran-Israel conflict may lead to cyberattacks on U.S. critical infrastructure by state-linked actors and hacktivist groups. Pro-Iran threats have surged, with warnings to Saudi Arabia and Jordan about potential attacks. Experts advise U.S. infrastructure providers to strengthen defenses against intrusions and supply chain attacks. Iranian cyber activity could shift focus to U.S. targets, necessitating heightened monitoring and education on threat groups.

The U.S. State Department is offering up to $10 million for information on Iranian hackers linked to the CyberAv3ngers group, responsible for targeting critical infrastructure with IOControl malware. This malware affects Industrial Control Systems and has been used against U.S. and Israeli water utilities. Tied to Iran's Islamic Revolutionary Guard Corps, CyberAv3ngers has claimed attacks on Telegram. Analysts warn that Iranian cyber threats may escalate due to ongoing military conflicts with Israel.

The U.S. State Department is offering up to $10 million in bounties for information on Iranian hacker Mr. Soul (Mr. Soll), associated with the state-sponsored CyberAv3ngers hacking operation. This group has targeted critical infrastructure entities, highlighting concerns over cybersecurity vulnerabilities. The report emphasizes the need for improved responses to such cyber threats.

Car-sharing company Zoomcar Holdings, Inc. reported a cybersecurity breach on June 9, 2025, exposing sensitive data of approximately 8.4 million users, including names, phone numbers, vehicle registration details, addresses, and email addresses. The attack targeted specific datasets, with no financial information or plaintext passwords compromised. Zoomcar activated its incident response plan, isolating affected systems and engaging third-party cybersecurity specialists for investigation and enhanced security measures.

Hackers stole personal information of 8.4 million users from Indian car share company Zoomcar, discovered on June 9. The breach includes names, phone numbers, car registration numbers, addresses, and emails, but no financial data or passwords were compromised. Zoomcar has implemented additional safeguards and hired a cybersecurity firm for response. The incident may lead to reputational and remediation costs. Zoomcar previously experienced a significant breach in July 2018 affecting 3.6 million customers.

Zoomcar Holdings disclosed a data breach affecting 8.4 million users, detected on June 9, 2025, after a threat actor alerted employees. Sensitive data exposed includes full names, phone numbers, car registration numbers, home addresses, and email addresses. No financial information or plaintext passwords were compromised. The company is investigating the incident's scope and impact, with no determination on the attack type or responsibility claimed by any ransomware group.

On June 9, 2023, Zoomcar reported a data breach affecting 8.4 million users, compromising names, phone numbers, and car registration numbers. The breach was discovered after employees received communications from a hacker. Zoomcar activated its incident response plan and stated that no financial information or sensitive identifiers were compromised. The company has enhanced security measures and is cooperating with regulatory authorities. It has not confirmed if affected customers have been notified.

Zoomcar confirmed a cyberattack on June 9, 2025, affecting approximately 8.4 million users. The breach involved the theft of personal data, including names, phone numbers, car registration numbers, postal addresses, and email addresses. Financial information and passwords were reportedly not compromised. The company activated its incident response plan, implemented additional safeguards, and engaged a third-party cybersecurity expert. No ransom was paid, and the incident has not disrupted operations, though potential impacts are under evaluation.

Meta AI has unintentionally made user searches public, raising significant privacy concerns. Users' prompts and results are visible in a public feed, potentially exposing sensitive information linked to their social media profiles. An expert highlighted this as a major security issue. While sharing prompts requires user consent, warnings about public visibility may not be clear. Instances include users asking for help with test answers and generating inappropriate content. Meta has been approached for comment.

Meta AI's discover feed has exposed users' private conversations, including text, audio, and images, due to a lack of clear privacy settings. Users unknowingly publish their interactions publicly, leading to sensitive information being shared. If linked to a public Instagram profile, this activity is also visible. Meta has not commented on the issue. Users are advised to be cautious with personal information, adjust privacy settings, and consider the implications of sharing online to avoid potential security risks.

Cybersecurity researchers identified a malware campaign that compromised over 269,000 legitimate websites using a sophisticated JavaScript obfuscation technique called JSFireTruck. Active from March to April 2025, the campaign injected obfuscated code to redirect visitors from search engines to fraudulent content. The obfuscation method, utilizing only six ASCII characters, enhances evasion of detection systems. The malicious scripts create full-screen iframes to overlay legitimate content, facilitating phishing and fake downloads.

Cybersecurity researchers report over 269,000 websites infected with JSFireTruck JavaScript malware from March 26 to April 25, 2025. The obfuscated code redirects users from search engines to malicious URLs for malware and scams. A spike of over 50,000 infections occurred on April 12. Additionally, Gen Digital launched HelloTDS, a Traffic Distribution Service that redirects users to fake CAPTCHA pages and scams based on device fingerprinting. Attackers use .top, .shop, and .com domains to host malicious code.

Trend Micro has patched multiple critical-severity vulnerabilities in its Apex Central and Endpoint Encryption PolicyServer products, including six remote code execution and authentication bypass flaws (CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217, CVE-2025-49219). Users are urged to update to TMEE version 6.0.0.4013 (Patch 1 Update 6) and install Patch B7007 for Apex Central. No evidence of exploitation has been found, but prompt updates are recommended to prevent potential attacks.

Trend Micro released security updates for four critical vulnerabilities (CVEs: CVE-2025-49212, CVE-2035-49216, CVE-2025-49217) in its Apex Central and Trend Micro Endpoint Encryption PolicyServer products, rated 9.8. These include remote code execution and authentication bypass flaws. While no exploitation has been observed, immediate patching is advised. Experts emphasize the importance of securing remote access and auditing for potential misuse of affected systems, particularly due to ties with Active Directory.

Traffic distribution services Help TDS and Disposable TDS have been linked to the VexTrio Viper TDS, indicating an expansion of the scam network. VexTrio facilitates intrusions into WordPress sites with malicious scripts, as noted in various campaigns. Help TDS, associated with Russia, has transitioned to the Monetizer platform for web traffic management. The report suggests that VexTrio and its affiliates possess information to identify malware actors involved in these activities.

A cybercriminal group named VexTrio has compromised hundreds of thousands of WordPress sites since 2015, using them to run extensive traffic distribution systems (TDS) for scams. The operation, linked to the Swiss-Czech firm Los Pollos, utilizes DNS TXT records for command and control, allowing attackers to tailor responses based on victim data. This sophisticated infrastructure has persisted for years, with multiple affiliate networks involved, complicating remediation efforts for affected website administrators.

Recorded Future reported on Intellexa's Predator spyware, linking it to new locations and tactics. A previously unknown customer in Mozambique and a Czech connection were identified, alongside a brief cluster in Eastern Europe. Despite a decline in activity due to sanctions, Predator remains adaptive, employing complex corporate structures and fake websites to evade detection. Strategies include fake 404 pages and counterfeit login sites, indicating ongoing efforts to obscure operations.

Intellexa continues operations despite US sanctions, establishing new infrastructure for its Predator spyware, including servers for hosting and anonymizing traffic. Recorded Future reports that Predator is active in multiple countries, with a significant presence in Africa. Additionally, a ransomware attack has disrupted operations at South Korean bookstore Yes24, and Maine hospitals are still recovering from a ransomware incident linked to Covenant Health. The Royal Canadian Mounted Police experienced a breach involving unencrypted sensitive data.

Intellexa's Predator spyware has resurfaced with enhanced obfuscation techniques, detected in Mozambique and the Czech Republic, as reported by Recorded Future's Insikt Group. The spyware has been active in Eastern Europe from August to November, suggesting ongoing testing or development. Intellexa employs various methods to mask its activities, including fake 404 error pages, fraudulent login pages, and misleading websites, complicating detection efforts. Sanctions may be prompting these increased complexities in operations.

Predator mobile spyware, developed by Cytrox and operated by the Intellexa alliance, continues to evolve to evade detection despite international sanctions. Active since 2019, it employs both "1-click" and "zero-click" attack vectors, targeting high-value individuals. Recent findings reveal its operations in over a dozen countries, with a complex four-tier infrastructure for obfuscation. Enhanced detection evasion tactics include fake websites and varied server configurations, indicating a commitment to operational security.

Hackers are exploiting a flaw in Discord's invitation system, allowing them to reuse expired or deleted invite links to redirect users to malicious sites delivering remote access trojans and information-stealing malware. This campaign has impacted 1,300 users across several countries. Attackers hijack legitimate invites, trick users into executing PowerShell commands, and deploy malware like AsyncRAT and Skuld Stealer. Users are advised to avoid old invites and be cautious with verification requests and PowerShell commands.

A malware campaign is exploiting Discord's invite system to deliver AsyncRAT and Skuld Stealer, targeting crypto wallets. Attackers hijack expired or deleted invite links, redirecting users to malicious servers. The campaign uses social engineering tactics, including a "Verify" button that executes a PowerShell command to download the malware. Skuld steals sensitive data from various platforms, including crypto wallets. Discord has disabled the malicious bot, disrupting the attack chain. Victims are primarily in the U.S. and Europe.

Cybercriminals are exploiting Discord's invite system to distribute AsyncRAT malware and cryptocurrency-stealing software. They monitor expired invite codes from boosted servers, redirecting users to malicious servers. Once users join, they encounter a fake verification process that triggers a multi-stage infection via a PowerShell script. This script downloads AsyncRAT and a customized Skuld Stealer targeting cryptocurrency wallets. The campaign has affected users in multiple countries, with over 1,300 payload downloads noted.

Ransomware actors disrupted utility services by exploiting unpatched versions of SimpleHelp's remote monitoring and management tool, specifically CVE-2024-57727, a high-severity path traversal vulnerability. This exploitation has been ongoing since January 2025, leading to service disruptions and double-extortion incidents. CISA advises organizations using SimpleHelp to check for compromises and patch the vulnerability. The advisory follows similar warnings about the Play ransomware gang's activities.

Cybersecurity researchers have identified a ransomware campaign exploiting unpatched vulnerabilities in SimpleHelp RMM systems, specifically CVE-2024-57727, affecting versions 5.5.7 and earlier. This vulnerability allows unauthorized access to remote systems, enabling attackers to compromise utility billing software providers. The campaign employs double extortion tactics, threatening to leak sensitive data. CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025, highlighting its active exploitation.

Ransomware actors are exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) flaws (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) to target customers of a utility billing software provider. CISA advises isolating SimpleHelp instances, updating software, and conducting threat hunting. Additionally, Fog ransomware has targeted a financial institution using dual-use tools and employee monitoring software. LockBit ransomware has focused on China, earning $2.3 million, while adapting to affiliate changes after a panel leak.

CISA reported that customers of a utility billing provider were compromised via a high-severity path traversal flaw in the SimpleHelp remote monitoring tool, tracked as CVE-2024-57727. Ransomware attacks exploiting this vulnerability have caused service interruptions and double extortion since January. The Play and DragonForce ransomware groups have leveraged this flaw for data theft and encryption. CISA urged immediate remediation to mitigate risks associated with this vulnerability.

CISA has issued a warning regarding the exploitation of CVE-2024-57727, a vulnerability in SimpleHelp remote access software, linked to recent ransomware attacks on retail companies. Ransomware gangs are using this vulnerability to compromise customers of a utility billing software provider, leading to double extortion scenarios. The advisory connects this campaign to DragonForce ransomware and highlights ongoing concerns about vulnerabilities in remote management tools, including those from ConnectWise and Kaseya.

CISA has issued a warning regarding ransomware gangs exploiting a vulnerability in the SimpleHelp remote support program, leading to breaches of customers associated with a utility billing software vendor. This advisory highlights the supply chain risks posed by such vulnerabilities and emphasizes the need for organizations to assess their security measures against potential exploitation. Recommendations for mitigation were not specified in the provided content.

A critical vulnerability known as the "TokenBreak" attack allows attackers to bypass AI content moderation systems by altering text with a single character. This technique exploits differences in tokenization methods, enabling malicious prompts to evade detection. Models like BERT and DistilBERT are vulnerable, while Unigram-based models like DeBERTa-v2 and v3 are secure. The attack poses significant risks, particularly in email security, prompting recommendations for organizations to assess their AI models and consider multi-layered defenses.

Malicious actors can exploit the TokenBreak attack to bypass safety measures in large language models by altering input words, confusing text classification models. This technique facilitates prompt injection intrusions. Researchers from HiddenLayer emphasize the importance of understanding the tokenization strategy to assess vulnerability. Recommendations include using Unigram tokenizers, aligning tokenization with model logic, and logging misclassifications. These findings follow reports of backronyms used for AI chatbot jailbreaking.

Researchers from HiddenLayer introduced a new attack technique called TokenBreaker, which exploits vulnerabilities in Large Language Models (LLMs) by altering a single character in key words. This manipulation allows malicious prompts to bypass protective mechanisms, as the LLM still understands the original intent. For instance, changing “instructions” to “finstructions” can trick spam filters. Models using Unigram tokenizers are resistant to this attack, suggesting a mitigation strategy of selecting more robust tokenization methods.

European journalists, including Francesco Cancellato and Ciro Pellegrino, were targeted with Graphite spyware from Paragon Solutions, linked to Italy's intelligence agencies. A Citizen Lab report confirmed the spyware's digital fingerprints on their devices. Italy's parliamentary committee noted that the spyware was used for various investigations, including organized crime and terrorism. Paragon claimed it only sells to democratic nations and prohibits targeting journalists. A debate in the European Parliament is scheduled for June 16.

Paragon spyware has been confirmed on the phones of European journalists, including Italian journalist Ciro Pellegrino, according to a report by the University of Toronto’s Citizen Lab. This marks the first detection of Paragon spyware on an Apple device. The spyware is linked to a customer targeting journalists critical of the Italian government. Paragon, an Israeli company, faces scrutiny similar to that of NSO Group amid ongoing surveillance scandals. The Italian government's contract with Paragon ended recently amid controversy.

Two European journalists' devices were confirmed targeted by Paragon spyware, with one successful infection. The Citizen Lab reported that both journalists, linked to the Italian outlet Fanpage, received notifications from Apple about potential spyware attacks. The spyware, Graphite, utilized a zero-click exploit tracked as CVE-2025-43200. Paragon has since ended its contract with the Italian government amid ongoing investigations into its spyware use against civil society members.

Forensic investigation confirms the use of Paragon's Graphite spyware in zero-click attacks targeting Apple iOS devices of journalists, including Ciro Pellegrino, in early 2025. The attacks exploited CVE-2025-43200, a zero-day vulnerability in iOS 18.2.1, allowing remote code execution via iMessage without user interaction. Apple notified the victims on April 29, and the vulnerability was addressed in iOS 18.3.1 on February 10. The spyware connected to a command-and-control server linked to Paragon's infrastructure.

A critical security flaw in the iPhone's Messages app, exploited by the "Graphite" spyware from Paragon, was patched in the iOS 18.3.1 update released in February 2025. The vulnerability was used in targeted attacks against journalists, allowing attackers to access devices via malicious media links. The flaw was first identified by The Citizen Lab, which linked the compromise to a specific journalist's device. Apple acknowledged the issue only after the findings were disclosed, raising concerns about spyware use against vulnerable individuals.

Graphite spyware, developed by Paragon, exploits a zero-click vulnerability (CVE-2025-43200) in iOS to target journalists, confirmed in at least three cases. The attack, using iMessage, allows device infiltration without user interaction. Apple patched the vulnerability in iOS 18.3.1, but earlier versions remain at risk. Notable targets include journalists from Fanpage.it, raising concerns about oversight in spyware use. Recommendations include taking spyware warnings seriously and seeking expert assistance.

Apple disclosed a zero-click vulnerability in its Messages app, tracked as CVE-2025-43200, exploited to target journalists with Paragon's Graphite spyware. The flaw, patched on February 10, 2025, allowed attackers to compromise devices without user interaction. Two journalists were infected while using iOS 18.2.1. Apple notified them on April 29, 2025. The Citizen Lab reported that Graphite can access sensitive data, raising concerns over spyware use against journalists and prompting calls for regulatory reforms in the EU.

Vulnerable instances of the SimpleHelp remote monitoring tool, affected by the high-severity path traversal flaw CVE-2024-57727, have been targeted in ransomware attacks against customers of a utility billing service provider. This information was reported by the Cybersecurity and Infrastructure Security Agency, highlighting the ongoing risks associated with unpatched vulnerabilities in enterprise software.

Apple has addressed a zero-click vulnerability (CVE-2025-43200) in iOS/iPadOS 18.3.1, linked to Paragon spyware attacks on journalists. The flaw, which involved maliciously crafted media shared via iCloud, was exploited against two journalists between January and February. The Citizen Lab confirmed the infections and noted that Graphite spyware operates covertly, making detection challenging. The Italian government has terminated its contract with Paragon amid ongoing scrutiny of spyware use. Users are advised to update devices and enable Lockdown Mode for enhanced security.

Apple disclosed a zero-click vulnerability (CVE-2025-43200) in its Messages app exploited to deliver Paragon spyware targeting journalists. Microsoft patched a WebDAV zero-day exploited by Stealth Falcon to deploy Horus Agent. Google fixed a flaw leaking recovery phone numbers. A zero-click AI vulnerability in Microsoft 365 (CVE-2025-32711) allowed data exfiltration without user interaction. New malware BrowserVenom was found on a phishing site impersonating DeepSeek, affecting multiple countries.

CISA has added a critical zero-click vulnerability, CVE-2025-43200, to its Known Exploited Vulnerabilities catalog, affecting multiple Apple products. This flaw allows attackers to compromise devices via malicious media shared through iCloud Links without user interaction. Confirmed exploitation targeted journalists using Graphite spyware. Apple patched the vulnerability in iOS 18.3.1, but earlier versions remain at risk. Organizations are urged to apply updates and follow CISA's mitigation recommendations.

Apple has patched a critical security flaw (CVE-2025-43200) in iOS 18.3.1 that was exploited by the Paragon spyware campaign targeting journalists and high-profile individuals. The flaw allowed zero-click attacks via maliciously crafted media shared through iCloud Links. The spyware could access sensitive data without user detection. Experts recommend keeping devices updated, enabling Lockdown mode, and using specialized security tools to mitigate risks from such advanced threats.

Fog ransomware, identified in a May 2025 attack on a financial institution, utilized a mix of legitimate employee monitoring software (Syteca) and open-source pentesting tools (GC2, Adaptix, Stowaway). Researchers noted the unusual persistence established by attackers post-deployment. Compromised Exchange servers and VPN credentials were potential entry points. This attack exemplifies a shift in ransomware tactics, blending cybercrime with espionage, using legitimate tools for covert credential harvesting and monitoring.

The Fog ransomware group targeted a financial institution in Asia in May 2025, utilizing legitimate pentesting tools like Syteca and GC2 for data exfiltration and ransomware deployment. The attackers maintained access for two weeks, employing reconnaissance techniques and establishing persistence through a service named “SecurityHealthIron” post-attack. This operation blurs the lines between espionage and financial crime, indicating a shift in threat actor behavior towards dual-purpose operations.

Fog ransomware has been observed using the legitimate employee monitoring tool Syteca to log keystrokes and capture passwords, facilitating network access and deployment of its encryptor. The attackers also utilized open-source tools like Stowaway for payload delivery and SMBExec for execution. Fog ransomware, which emerged in April 2024, has targeted organizations including Melexis and EUMETSAT, employing atypical methods not commonly seen in ransomware attacks.

Research from Symantec and Carbon Black reveals that the Fog ransomware group employs an unconventional toolset, including open-source pentesting tools and Syteca, an employee monitoring software. This approach allows attackers to blend in and conduct covert operations, utilizing legitimate software for credential harvesting and monitoring. Experts recommend organizations adopt proactive security measures, including limiting privileged access and monitoring for unusual activity, to combat these evolving threats effectively.