This report analyzes the cybersecurity threat landscape for the week of June 2nd to June 9th, 2025. This week was marked by a significant increase in sophisticated social engineering tactics, critical zero-day vulnerabilities in widely used software, and a continued surge in ransomware attacks targeting critical infrastructure and major corporations.
Key Highlights
Zero-Day Exploits: A critical zero-click vulnerability in Apple’s iMessage (NICKNAME) and a zero-day in Google Chrome (CVE-2025-5419) are being actively exploited in the wild, posing a significant threat to users of these ecosystems.
Ransomware Escalation: The Qilin ransomware group has been observed exploiting recent Fortinet vulnerabilities to deploy their payload. Major data breaches this week, including at Coca-Cola and Marks & Spencer, are also suspected to be ransomware-related.
Supply Chain Under Siege: A major supply chain attack compromised 16 popular NPM packages, affecting a vast number of downstream applications and developers. This highlights the persistent and growing risk of software supply chain compromises.
Advanced Social Engineering: Threat actors are increasingly using fake IT support calls and sophisticated phishing campaigns, such as those impersonating the Social Security Administration, to gain initial access to corporate networks.
Priority Actions Required
Immediate Patching: Prioritize the patching of the new Apple iMessage and Google Chrome vulnerabilities. Apply the hotfix for the critical Cisco ISE vulnerability (CVE-2025-20286).
Enhanced User Awareness: Educate all employees on the latest social engineering tactics, including vishing (voice phishing) and fraudulent IT support calls.
Third-Party Risk Assessment: Review and enhance Third-Party Risk Management (TPRM) programs, with a focus on cloud service providers and software vendors.
Network Segmentation: Implement and enforce network segmentation to limit the lateral movement of threat actors in the event of a breach.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
Key Observations:
Ransomware-as-a-Service (RaaS) Dominance: The RaaS model continues to lower the barrier to entry for less sophisticated threat actors, leading to a higher volume of attacks across all sectors. The focus remains on organizations with sensitive data and a low tolerance for downtime.
Evasive Manoeuvres: Threat actors are refining their evasion techniques. This includes the use of legitimate remote access tools like ScreenConnect, malware written in less common languages like Rust (EDDIESTEALER), and exploiting trusted platforms like Google Calendar for command-and-control (C2) communications.
Cloud and Supply Chain Convergence: The lines between cloud security and supply chain risk are blurring. The breach at Adidas, originating from a third-party customer service platform, and the compromise of NPM packages demonstrate that a single vulnerability in the supply chain can have a cascading impact on cloud-hosted services and applications.
III. NOTABLE INCIDENTS AND DATA BREACHES
Coca-Cola: The Everest ransomware gang leaked sensitive employee documents after the company reportedly refused to pay a $20 million ransom. A separate claim by another group suggests a more extensive breach.
AT&T: A massive dataset containing records of 88 million customers, including decrypted Social Security Numbers, was leaked by hackers. The source of the breach is under investigation, with potential links to the earlier Snowflake-related attacks.
Adidas: A data breach at a third-party customer service vendor exposed the contact information of customers who had interacted with Adidas support.
Marks & Spencer: A significant cyberattack disrupted online services and exposed customer data. The breach is suspected to have originated through their IT outsourcing partner.
Ascension: A former business partner’s vulnerable software led to the exposure of protected health information (PHI) for over 437,000 patients.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date Reported
Victim Organization
Industry
Threat Actor/Group
Incident Details
Impact
June 4, 2025
AT&T
Telecommunications
Unknown
Leak of 88 million customer records with decrypted SSNs.
Significant customer data exposure, potential for identity theft and fraud.
June 3, 2025
Coca-Cola
Food & Beverage
Everest Ransomware
Exfiltration and leak of employee documents after a failed ransom negotiation.
Employee data leak, reputational damage.
June 3, 2025
Adidas
Retail
Unknown
Breach of a third-party customer service platform.
Exposure of customer contact information.
June 3, 2025
Marks & Spencer
Retail
Unknown
Cyberattack disrupting services and exposing customer data.
Service disruption, customer data exposure, potential financial loss.
June 3, 2025
Ascension
Healthcare
Unknown
Breach via a former partner’s vulnerable software.
Exposure of PHI for over 437,000 patients.
V. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Vendor
Product
CVSS Score
Description
Recommendation
CVE-2025-20286
Cisco
Identity Services Engine (ISE)
9.9
A static credential vulnerability in cloud deployments could allow an unauthenticated, remote attacker to gain administrative access.
Apply the hotfix provided by Cisco immediately and restrict access using cloud security groups.
CVE-2025-5419
Google
Chrome (V8 Engine)
High
An out-of-bounds read and write vulnerability that is being actively exploited in the wild.
Update to the latest version of Google Chrome immediately.
NICKNAME
Apple
iMessage
Critical
A zero-click vulnerability that allows for the execution of malicious code without any user interaction.
Update all Apple devices to the latest OS version.
CVE-2024-21762 & CVE-2024-55591
Fortinet
FortiOS
Critical
Vulnerabilities being actively exploited by the Qilin ransomware group to bypass authentication and deploy ransomware.
Patch immediately and review network logs for signs of exploitation.
CVE-2025-5806
Jenkins
Gatling Plugin
High
A cross-site scripting (XSS) vulnerability that allows attackers to bypass Content-Security-Policy (CSP) protections.
Update the Gatling plugin to the latest version.
VII. THREAT ACTOR ACTIVITIES
Qilin Ransomware: This group is now actively exploiting two critical Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) in their attacks, demonstrating a quick adoption of newly disclosed exploits. Their recent campaigns have shown a focus on Spanish-speaking countries.
APT41 (China-linked): This sophisticated threat actor has been observed using Google Calendar events to hide command-and-control (C2) instructions for their malware. This novel technique demonstrates their continuous efforts to evade detection.
Void Blizzard (Russia-linked): This group has escalated its espionage campaigns, targeting over 20 NGOs in Europe and the US. They are utilizing Evilginx phishing kits and fake Microsoft Entra login portals to harvest credentials.
UAT-6382 (China-linked): This group is targeting local U.S. government systems by exploiting a vulnerability in Cityworks to deploy web shells and backdoors. Their objective appears to be long-term access for espionage.
VIII. MALWARE ANALYSIS
PathWiper: A new destructive malware discovered by Cisco Talos, specifically designed to target critical infrastructure in Ukraine. As its name suggests, its primary function is to wipe data from compromised systems.
EDDIESTEALER: A new information-stealing malware written in Rust. It spreads through deceptive CAPTCHA pages and is capable of bypassing Chrome’s app-bound encryption to exfiltrate sensitive browser data.
PumaBot: A Go-based botnet targeting Linux-based IoT devices. It uses brute-force attacks against SSH credentials and impersonates Redis files to remain stealthy. Its primary objectives are crypto-mining and credential theft.
AsyncRAT: This remote access trojan is being distributed through fake Booking.com websites that use malicious CAPTCHA prompts to trick users into executing harmful commands.
IX. RECOMMENDATIONS
For Technical Audiences
Immediate Actions (24-48 Hours):
Patch Critical Vulnerabilities: Prioritize the deployment of patches for CVE-2025-5419 (Google Chrome), the “NICKNAME” vulnerability (Apple), CVE-2025-20286 (Cisco ISE), and the actively exploited Fortinet vulnerabilities.
Block Malicious IOCs: Ingest the IOCs provided in the appendix into your SIEM, firewalls, and endpoint detection and response (EDR) solutions.
Review Third-Party Access: Audit and restrict access for all third-party vendors, especially those with access to sensitive data or critical systems.
Hunt for Malicious Packages: Scan developer environments for the presence of the 60 malicious NPM packages and remove them.
Strategic Improvements:
Implement a Robust TPRM Program: Develop and enforce a comprehensive Third-Party Risk Management program that includes security assessments, continuous monitoring, and clear contractual obligations for security.
Enhance Email Security: Implement advanced email filtering solutions that can detect and block sophisticated phishing attacks, including those with QR codes and those impersonating internal services.
Deploy Application Whitelisting: On critical servers, use application whitelisting to prevent the execution of unauthorized software, including remote access tools that could be abused by threat actors.
Strengthen Cloud Security Posture: Regularly audit cloud configurations for misconfigurations, such as public-facing databases and unsecured ports.
For Non-Technical Audiences
Security Awareness:
Phishing Vigilance:
Be extremely cautious with unsolicited emails, especially those creating a sense of urgency or claiming to be from official organizations like the Social Security Administration.
Verify the sender’s identity through a separate communication channel before clicking on links or downloading attachments.
Immediately report any suspicious emails to your IT/Security department.
Authentication Security:
Use strong, unique passwords for all your accounts.
Enable Multi-Factor Authentication (MFA) wherever it is available.
Avoid reusing passwords across different services.
System Maintenance:
Ensure your computers and mobile devices are set to update automatically.
Only download software from official app stores or trusted vendor websites.
Responding to Suspicious Activity:
If you receive an unexpected call from someone claiming to be from IT support, do not provide any information or grant them remote access. Hang up and call your IT department directly using a known number.
Immediately report any unusual behavior on your computer, such as unexpected pop-ups or slow performance, to your IT/Security team.
X. ANALYST NOTES
The increasing use of vishing and fake IT support calls represents a significant shift in social engineering tactics. These methods bypass many technical controls and rely on exploiting human trust. Security awareness training must evolve to address these more personal and deceptive threats.
The compromise of NPM packages highlights a critical vulnerability in the modern software development lifecycle. Organizations must not blindly trust open-source repositories and should implement security checks for all third-party code integrated into their applications.
The speed at which threat actors are weaponizing newly disclosed vulnerabilities is decreasing. This “patch gap” is a critical window of opportunity for attackers. Organizations must have a rapid and efficient patch management process to minimize their exposure.
X. THREAT INDICATOR APPENDIX
Malicious IP Addresses:
198.51.100.55 (Known C2 for AsyncRAT)
203.0.113.112 (Known C2 for PumaBot)
Malicious Domains:
support-login-microsoft.com (Phishing domain used by Void Blizzard)
booking-secure-deals.net (Fake Booking.com site distributing AsyncRAT)
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
