The global threat landscape in late June 2025 presents an unprecedented convergence of sophisticated cyber threats that demand immediate strategic attention from organizational leadership. The period is characterized by escalating geopolitical tensions, widespread enterprise vulnerabilities, and increasingly capable cybercrime operations that collectively create a critical security environment.
Key Highlights
Nation-State Cyber Warfare Intensification: Heightened geopolitical tensions are directly translating into targeted cyber-attacks with clear strategic objectives. Nation-state actors, particularly those affiliated with the People’s Republic of China (PRC) and Iran, are conducting advanced cyber campaigns that pose significant threats to U.S. and allied interests. The ongoing U.S.-Iran conflict has manifested across a spectrum of cyber activities, ranging from disruptive hacktivism to preparations for destructive attacks targeting U.S.-linked infrastructure and organizations.
Long-Term Espionage Campaign Persistence: The PRC’s Salt Typhoon campaign continues its stealthy, long-term espionage mission with alarming success. This sophisticated operation is systematically compromising core network infrastructure across the United States and allied nations, strategically pre-positioning assets for future contingencies and maintaining persistent access to critical systems for intelligence gathering and potential future disruption.
Critical Enterprise Vulnerability Crisis: Enterprise and critical infrastructure security is facing an unprecedented crisis driven by a barrage of critical, actively exploited vulnerabilities in ubiquitous software platforms. High-impact flaws in essential systems from Microsoft, Citrix, and SAP have created an extraordinarily target-rich environment that adversaries are actively exploiting. This vulnerability crisis represents a fundamental threat to organizational security postures across all sectors.
Degraded Public-Private Defense Partnerships: The software vulnerability crisis is being dangerously compounded by a significant degradation of public-private defense partnerships within the United States. Federal funding cuts to vital cybersecurity entities, including the Multi-State Information Sharing and Analysis Center (MS-ISAC), combined with workforce disruptions at the Cybersecurity and Infrastructure Security Agency (CISA), are systematically weakening collective defense capabilities precisely when adversaries are intensifying their focus on critical infrastructure and enterprise targets.
Sophisticated Cybercrime at Nation-State Scale: Advanced cybercrime syndicates are now operating at unprecedented scale using nation-state-level tactics and capabilities. Financially motivated groups, most notably Scattered Spider, are demonstrating mastery of advanced social engineering techniques specifically designed to bypass modern multi-factor authentication defenses, resulting in significant operational disruption across critical sectors including insurance and aviation industries.
Mature Malware-as-a-Service Ecosystem: The cybercrime landscape is being further complicated by a rapidly maturing Malware-as-a-Service (MaaS) ecosystem that democratizes access to sophisticated attack tools. This ecosystem provides less-skilled threat actors with ready access to potent infostealers like Myth Stealer and continuously evolving ransomware strains, significantly lowering the barrier to entry for conducting effective cyber attacks and expanding the overall threat actor population.
Strategic Implications
These converging trends signal a clear and urgent need for organizations to fundamentally evolve beyond traditional reactive, perimeter-focused defense models. The current threat landscape necessitates an immediate strategic shift toward a proactive, identity-centric, and resilience-focused security posture specifically designed to withstand advanced, persistent, and multifaceted threats that combine nation-state sophistication with criminal motivations and widespread vulnerability exploitation.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
Key Observations:
The intersection of geopolitical conflict and cyber operations is a defining feature of the current threat environment, with nation-states using cyber capabilities as an integral part of statecraft. This reality demands nuanced threat models tailored to specific geopolitical risks and actor TTPs, as a defense against DDoS attacks is ineffective against a sophisticated router implant. While nation-states intensify their focus, the collaborative defense mechanisms designed to protect critical sectors are showing signs of significant strain. Furthermore, Artificial Intelligence (AI) is a double-edged sword; threat actors are leveraging it for offense, while enterprise defenses against AI-driven threats are lagging.
Supply Chain and Cloud Security Risks:
Third-Party Vendor Vulnerabilities: The profound risk of supply chain compromise is a major vulnerability. The June 2025 cyberattack on Glasgow City Council, which paralyzed digital services for over a week, originated from malicious activity on a third-party supplier’s supplier’s servers.
Ecosystem-Wide Challenges: This concern is widely shared, with 54% of large organizations identifying supply chain challenges as the single greatest barrier to achieving cyber resilience in the World Economic Forum’s 2025 Global Cybersecurity Outlook.
Cloud Infrastructure Implications: The compromise of core network devices, such as routers and firewalls, by groups like Salt Typhoon elevates the security of this infrastructure to a top-tier priority, on par with domain controllers. This necessitates dedicated programs for vulnerability management and traffic analysis on these critical systems.
III. NOTABLE INCIDENTS AND DATA BREACHES
The past week saw a number of high-impact security incidents, ranging from colossal credential leaks to disruptive attacks on critical public and private sector organizations.
Massive Credential Leaks: One of the largest data exposures ever recorded came to light, with 16 billion login credentials aggregated from over 30 separate datasets, including data from recent infostealer malware logs. In a separate incident, an unencrypted database with 184 million credentials for platforms like Google and Facebook was found exposed online.
United Natural Foods Inc. (UNFI): A cyberattack against the primary distributor for Whole Foods forced a complete network shutdown, causing significant disruption to the grocery supply chain.
PowerSchool: A breach at the SaaS provider exposed the data of an estimated 62.4 million students, highlighting the immense blast radius of a compromise at a central software vendor.
DBS Group and Bank of China (Singapore): Customers had information potentially compromised following a ransomware attack on their third-party data vendor, Toppan Next Tech.
Columbia University: On June 24, the university experienced widespread system outages affecting email, course portals, and authentication services after a suspected cyberattack that included the defacement of some digital displays.
Glasgow City Council: Beginning on June 19, the city suffered a massive and prolonged disruption of its digital services, crippling systems for planning applications, penalty payments, and more for over a week. The attack originated from a third-party IT provider’s supplier.
Sepah Bank (Iran): An Israel-linked hacking group, “Predatory Sparrow,” claimed responsibility for a destructive cyberattack against one of Iran’s largest state-owned banks, claiming to have destroyed bank data.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date (2025)
Incident/Type
Affected Organization/Target
Key Impact
Threat Actor (if known)
Late June
Data Leak (Infostealer)
Global Users (Apple, Google, Facebook)
16 billion login credentials aggregated and exposed.
Infostealer Malware Operators
June 12-24
Social Engineering Campaign
U.S. Insurance & Aviation Sectors
Targeted attacks on multiple insurance firms and airlines.
Scattered Spider
June 24
Cyberattack
Columbia University
Widespread system outages, service disruption, digital display defacement.
Unspecified
June 24 (Advisory)
Espionage Campaign
Canadian Telecommunications Company
Compromise of core network infrastructure for espionage and pre-positioning.
Salt Typhoon (PRC-linked)
June 19
Supply Chain Attack
Glasgow City Council
Prolonged disruption of city digital services for over a week.
Unspecified (via 3rd party supplier)
Late June
Cyberattack
United Natural Foods Inc. (UNFI)
Network shutdown and significant supply chain disruption.
Unspecified
Late June
Data Breach (Third Party)
PowerSchool
Exposure of data for an estimated 62.4 million students.
Unspecified
Late June
Geopolitical Cyberattack
Sepah Bank (Iran)
Destructive attack causing service disruption and data destruction.
“Predatory Sparrow” (Israel-linked)
V. CURRENT THREAT LANDSCAPE ANALYSIS
Emerging Trends:
Nation-State Cyber Operations as Statecraft: Adversarial nation-states are increasingly leveraging cyber capabilities as an integral component of their strategic objectives. Iran employs a “high-low” mix of sophisticated state attacks and deniable hacktivism, while the PRC focuses on stealthy, long-term infiltration of critical infrastructure to pre-position for future conflicts.
Weaponization of Trust and Process: Sophisticated criminal groups like Scattered Spider are methodically exploiting human trust and institutional pressures within corporate IT support processes. They “weaponize trust” by manipulating help desk staff who are culturally conditioned to provide rapid support to executives, bypassing technical controls through social engineering.
“Living off the Land” at the Network Edge: The Salt Typhoon campaign highlights a strategic shift toward compromising the network fabric itself. By exploiting vulnerabilities in routers and firewalls, attackers use built-in device functionalities (“living off the land”) to evade detection and gain a “god’s-eye view” of all network data, bypassing traditional endpoint security.
AI-Augmented Social Engineering: Artificial Intelligence is being operationalized by attackers to perfect deception at scale. AI is used to craft highly convincing and personalized phishing emails and vishing scripts, amplifying the effectiveness of social engineering TTPs and rendering traditional security awareness training increasingly obsolete.
Cascading Supply Chain Risk: The security posture of an organization is inextricably linked to its digital ecosystem. As demonstrated by attacks on Glasgow City Council and the PowerSchool data breach, a compromise at a single third-party supplier can have cascading and devastating consequences for all connected entities.
VI. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Product/Service
Description
Severity (CVSS)
Exploitation Status
Recommended Action
CVE-2025-31324
SAP NetWeaver AS Java
A missing authorization check allows an unauthenticated attacker to upload arbitrary files, leading to RCE.
10.0
Actively Exploited
Patch Immediately. Scan for unauthorized web shells.
Patch Immediately. Audit all cloud instance credentials.
CVE-2025-20281
Cisco ISE / ISE-PIC
An unauthenticated RCE vulnerability in the Cisco ISE API could allow root-level code execution.
9.8
Unconfirmed
Patch Immediately. Restrict API access.
CVE-2025-6543
Citrix NetScaler ADC/Gateway
A memory overflow vulnerability that can lead to DoS or unauthenticated RCE on gateway devices.
9.2
Actively Exploited
Patch Immediately. Terminate all active sessions post-patch.
CVE-2025-5777
Citrix NetScaler ADC/Gateway
“Citrix Bleed 2.0”: An out-of-bounds read flaw allows an attacker to steal active session tokens, bypassing MFA.
9.2
Observed Exploitation
Patch Immediately.
CVE-2025-33053
Microsoft WebDAV
An RCE vulnerability exploited by tricking a user into connecting to a malicious server.
8.8
Actively Exploited (Zero-Day)
Apply June 2025 patches. Block outbound WebDAV connections where possible.
CVE-2025-47162, -47164, -47167
Microsoft Office
RCE vulnerabilities where the Preview Pane is a viable attack vector, requiring no user interaction beyond selecting a file.
8.4
Exploitation More Likely
Apply June 2025 patches. Disable the Preview Pane in Outlook and Explorer.
CVE-2025-33070
Microsoft Windows Netlogon
An Elevation of Privilege (EoP) flaw that could allow an unauthenticated attacker to gain domain admin privileges.
8.1
Exploitation More Likely
Apply June 2025 patches. Monitor for anomalous Netlogon activity.
VII. THREAT ACTOR ACTIVITIES
Scattered Spider (UNC3944/Octo Tempest): This highly sophisticated, English-speaking group has pivoted to targeting the U.S. insurance and aviation sectors. Their hallmark is exploiting the human element through vishing (voice phishing) calls to IT help desks, persuading staff to reset executive passwords and add attacker-controlled MFA devices. They have recently targeted Aflac, Erie Insurance, Hawaiian Airlines, and WestJet.
Salt Typhoon (GhostEmperor): A PRC-affiliated espionage group focused on long-term intelligence gathering within global critical infrastructure. A recent advisory revealed a multi-year campaign targeting U.S. and allied telecommunications providers. Their primary TTP is exploiting public-facing network edge devices (like Cisco routers) and creating clandestine GRE tunnels to siphon off network traffic for espionage.
Iran-Affiliated Actors: Tehran and its proxies have engaged in a multi-layered cyber response to the ongoing conflict with the U.S.. This includes a “high-low” strategy combining low-sophistication hacktivist swarms conducting DDoS and defacement attacks with advanced, government-affiliated groups prepared to deploy destructive wiper malware.
Russia-Aligned Groups (UAC-0226): These groups remain active in the war in Ukraine, targeting military and government entities with evolving malware. Their operations, which deploy infostealers like GIFTEDCROOK, often coincide with geopolitical events like peace negotiations, indicating close coordination with state objectives.
VIII. MALWARE ANALYSIS
Featured Malware Families:
GIFTEDCROOK: Deployed by the Russia-aligned group UAC-0226, this malware has evolved from a basic data stealer into a targeted intelligence-gathering tool. Recent versions selectively harvest specific document types like .pdf, .docx, and .ovpn VPN configuration files, indicating its use for tactical cyber espionage.
Myth Stealer: A new and highly sophisticated infostealer written in the Rust programming language, making it harder to analyze. It is distributed via a Malware-as-a-Service (MaaS) model and boasts advanced features, including anti-analysis techniques and a clipboard hijacker for stealing cryptocurrency.
Lumma Stealer: This prominent MaaS infostealer remains a significant threat, responsible for over 25% of recorded infostealer attacks globally. It is often used as a precursor to ransomware attacks, with stolen credentials being sold to or used by other criminal groups.
SafeLocker: First identified in June 2025, this new ransomware family targets the Windows OS and uses stealth techniques like extended sleep intervals. Its relatively small ransom demand of $7,000 suggests a focus on small-to-medium enterprises.
Puld Ransomware: A new variant of the established Medusa Locker ransomware, indicating continued development and investment by its operators to bypass existing defenses.
Hypervisor Targeting: A dangerous trend is the shift by ransomware groups (like those using DragonForce) to directly target VMware ESXi hypervisors. By encrypting the hypervisor’s files, attackers can make hundreds of servers inoperable in a single action.
IX. RECOMMENDATIONS
For Technical Audiences:
Immediate Actions (24-48 Hours):
Prioritized Patching: Address the critical vulnerabilities disclosed this week with urgency, in the following order:
Citrix NetScaler (CVE-2025-6543, CVE-2025-5777): Actively exploited to bypass MFA.
Microsoft WebDAV (CVE-2025-33053): Actively exploited zero-day used by an APT group.
SAP NetWeaver (CVE-2025-31324): CVSS 10.0 vulnerability allowing unauthenticated RCE.
Critical Microsoft Office, Netlogon, RDP CVEs: High likelihood of exploitation.
Cisco ISE CVEs: Affects critical network access control solution.
Citrix Remediation: Patching alone is insufficient for CVE-2025-5777. You must terminate all active and persistent user sessions (e.g., ICA, PCoIP) after the patch is applied to invalidate any session tokens stolen prior to patching.
Threat Hunting & Strategic Improvements:
Threat Hunting – Scattered Spider:
Query help desk logs for suspicious password or MFA resets for C-suite users.
Monitor for legitimate remote access tools being executed by unusual parent processes.
Analyze authentication logs for MFA fatigue patterns followed by a successful login, especially after a help desk ticket.
Proactively scan for typosquatted domains impersonating your brand.
Threat Hunting – Salt Typhoon:
Immediately audit the running configurations of all internet-facing routers and edge devices for unauthorized changes, especially new GRE tunnels.
Monitor NetFlow data for anomalous traffic flows originating from the management interfaces of edge devices.
IoC Blocking: Ingest all Indicators of Compromise from the Appendix into firewalls, proxies, DNS security solutions, and EDR platforms.
For Non-Technical Audiences (Leadership & CISOs):
Mandate a Redesign of Help Desk Identity Verification: The success of social engineering attacks against IT help desks is a critical failure of process. The risk of a breach from a manipulated MFA reset now outweighs the risk of executive inconvenience. Mandate an immediate review and implementation of non-bypassable secondary verification methods for all high-risk actions for all users.
Elevate Network Edge Security to a Tier-1 Priority: Nation-state actors view network edge devices (routers, firewalls) as primary targets for espionage. These devices can no longer be “set-and-forget” infrastructure. Ensure they are integrated into core security programs, including vulnerability management, configuration hardening, and advanced network traffic analysis.
Launch a Proactive Supply Chain Risk Assessment: The attacks on Glasgow City Council and the PowerSchool breach highlight systemic third-party risk. Initiate a targeted risk assessment program for critical suppliers, especially SaaS and managed service providers. Evaluate their security posture and review contracts for security clauses and right-to-audit provisions.
Invest in Behavior-Based and Identity-Centric Defenses: AI-powered phishing and credential-based attacks confirm that perimeter defenses are insufficient. Strategic investment must pivot toward technologies that focus on identity and behavior, such as Identity Threat Detection and Response (ITDR), User and Entity Behavior Analytics (UEBA), and a broader shift to a Zero Trust architecture.
X. ANALYST NOTES
The current landscape is defined by the convergence of nation-state campaigns, rampant enterprise vulnerabilities, and industrialized cybercrime. This necessitates a strategic evolution beyond reactive defense toward a proactive, identity-centric, and resilience-focused security model.
Adversaries are demonstrating a sophisticated understanding of systemic weaknesses. The “weaponization of trust” by groups like Scattered Spider shows that the most critical vulnerability is often not a software flaw, but a flawed process and the human tendency toward expediency. Similarly, the Salt Typhoon campaign’s focus on network edge devices—which are notoriously difficult to patch and monitor—reveals a deliberate strategy to bypass layers of security by compromising the network’s central nervous system.
This is occurring as public-private defense partnerships in the U.S. are weakening due to funding cuts and workforce disruptions, forcing organizations to become more self-reliant at a time of increasing risk. The professionalization of the cybercrime ecosystem through Malware-as-a-Service models further democratizes the threat, allowing less-skilled actors to rent nation-state-level capabilities.
Ultimately, these trends signal that organizations can no longer assume robust government support and must independently invest in advanced threat intelligence, comprehensive supply chain risk management, and mature incident response capabilities to survive in this heightened threat environment.
XI. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
