This report analyzes the cybersecurity threat landscape observed between June 9 and June 16, 2025. This week was marked by the active exploitation of a zero-day vulnerability in widely used remote management software, a significant number of critical patches from Microsoft, and continued ransomware campaigns targeting critical infrastructure.
Key Highlights:
Microsoft’s June 2025 Patch Tuesday: Released fixes for 66 vulnerabilities, including nine rated as critical. A key vulnerability, CVE-2025-33053, affecting the WebDAV protocol, is confirmed to be actively exploited in the wild, posing a significant remote code execution (RCE) risk.
Ransomware Groups Exploit SimpleHelp RMM: CISA issued a critical alert regarding ransomware groups, including Play and DragonForce, exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target managed service providers (MSPs) and their downstream customers, including utility providers.
Rise of New Malware Strains: A new Rust-based infostealer named Myth Stealer gained traction, distributed via fraudulent gaming websites. Additionally, a new ransomware variant, SafeLocker, has emerged, targeting enterprise Windows environments.
Supply Chain Attacks Intensify: Multiple significant breaches originated from third-party service providers, including incidents affecting Adidas, Ascension, Harbin Clinic, and Catholic Health, underscoring the interconnectedness of modern digital ecosystems.
NPM Registry Compromise: 60 malicious packages were discovered containing data theft scripts, targeting developer environments and exploiting the inherent trust in package managers for malware distribution.
II. CURRENT THREAT LANDSCAPE
Key Observations:
Ransomware-as-a-Service (RaaS) Focus on Supply Chain: The trend of targeting third-party software and service providers continues to be a primary vector for widespread attacks. The exploitation of RMM tools like SimpleHelp demonstrates that compromising a single provider can grant attackers access to dozens of victim networks, amplifying their impact.
Targeting of Critical Infrastructure & Manufacturing: Threat actors are showing a sustained focus on the manufacturing sector and other critical infrastructure. Dragos Intelligence reported that 68% of all industrial ransomware incidents in Q1 2025 affected manufacturing companies, a trend that continues into the current quarter.
Evasion Through Legitimate Tools: Attackers are increasingly abusing legitimate services and tools to evade detection. The Chinese state-sponsored group MISSION2025 (APT41) has been observed using legitimate cloud services like Google Calendar and Drive for command-and-control (C2) communications, blending their malicious traffic with normal enterprise activity.
Enhanced Ransomware Capabilities: Ransomware attacks have increased within critical infrastructure sectors, demonstrating enhanced evasion techniques and rapid encryption capabilities.
Remote Work Environment Targeting: As remote and hybrid work models become more prevalent, threat actors are increasingly focusing on vulnerabilities within home networks and personal devices.
Supply Chain and Cloud Security Risks:
Third-Party Vendor Vulnerabilities: Multiple significant breaches originated from third-party service providers:
Adidas: A customer service provider compromise led to data exposure
Ascension: A former partner’s software vulnerability was exploited
Harbin Clinic: A breach occurred through their debt collection agency, NRS
Catholic Health: Affected by a Serviceaide database misconfiguration
Cloud Infrastructure: Serviceaide’s misconfigured Elasticsearch database highlights the critical importance of secure cloud configuration and management
III. NOTABLE INCIDENTS AND DATA BREACHES
This week saw a significant number of publicly disclosed breaches, many attributed to the Qilin ransomware group. The targeting spans multiple sectors, from professional services to healthcare and manufacturing, underscoring the broad threat posed by active RaaS operations.
Comprehensive Incident Summary Table
Date Disclosed
Incident/Threat Actor
Affected Organization(s)
Impact
June 10, 2025
Ransomware Attack
Healthcare Provider
Data encryption, service disruption
June 12, 2025
Data Breach (Third-Party Vendor)
Financial Institution
Customer data exposure
June 13, 2025
Qilin Ransomware
ApolloMD (Healthcare)
Data exfiltration and encryption of a major US-based multispecialty medical practice
June 13, 2025
Qilin Ransomware
Aitkin Public Schools
Ransomware attack impacting school district operations and potentially exposing student/staff data
June 13, 2025
Ransomware (unspecified)
Utility Billing Software Provider
Multiple customers compromised via SimpleHelp RMM software vulnerability
June 13, 2025
WorldLeaks Group
A&R Engineering
Data breach and leak impacting an engineering firm
Microsoft’s June 2025 Patch Tuesday addressed numerous high-impact vulnerabilities. Organizations are urged to prioritize the deployment of these patches, with special attention to the actively exploited CVE.
High-Priority Vulnerabilities Table
CVE ID
Description
CVSS Score
Mitigation / Action
CVE-2025-33053
Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability. An unauthenticated attacker can execute arbitrary code on an affected server. (Actively Exploited)
8.8 (High)
Apply June 2025 Microsoft security updates immediately. Prioritize internet-facing WebDAV servers (e.g., IIS). Added to CISA KEV Catalog.
CVE-2025-47966
Microsoft Power Automate Privilege Escalation Vulnerability. An attacker can exploit sensitive information leakage to gain elevated privileges on the network.
9.8 (Critical)
Apply June 2025 Microsoft security updates.
CVE-2025-29828
Windows Schannel (TLS/SSL) Remote Code Execution Vulnerability. An unauthenticated attacker can achieve RCE by sending specially crafted ClientHello messages to a vulnerable server.
8.1 (High)
Apply June 2025 Microsoft security updates.
CVE-2025-33070
Windows Netlogon Privilege Escalation Vulnerability. An unauthenticated attacker can gain domain administrator privileges by exploiting uninitialized resources in the Netlogon service.
8.1 (High)
Apply June 2025 Microsoft security updates.
CVE-2025-32433
Erlang/OTP SSH Server Missing Authentication
High
Remediate promptly – Added to CISA KEV Catalog
CVE-2024-42009
RoundCube Webmail Cross-Site Scripting
Medium
Remediate promptly – Added to CISA KEV Catalog
CVE-2025-24016
Wazuh Server Deserialization of Untrusted Data
High
Remediate promptly – Added to CISA KEV Catalog
Source: CISA, Microsoft Security Response Center (MSRC)
V. THREAT ACTOR ACTIVITIES
MISSION2025 (APT41): This highly active Chinese state-sponsored group continues its campaign targeting manufacturing, aerospace, defense, and other critical sectors aligned with China’s strategic interests. Their latest TTPs involve using spearphishing with malicious LNK files and abusing Google cloud services for C2 to bypass security controls. Their operational tempo has reportedly increased in Q2 2025.
Qilin Ransomware: This group was highly active this week, claiming responsibility for numerous attacks across various industries. They operate a sophisticated RaaS platform, enabling affiliates to launch double-extortion attacks, where data is both encrypted and exfiltrated.
DarkGaboon: A newly identified, Russian-speaking group has been observed targeting Russian companies with a leaked variant of the LockBit 3.0 ransomware. While their current focus is regional, their use of open-source tools and phishing makes their TTPs easily adaptable for wider targeting.
State-Sponsored APT Groups: Continued sophisticated targeting of critical infrastructure, government entities, and defense sectors with advanced persistent threats (APTs), including supply chain compromise, zero-day exploitation, and long-term espionage campaigns.
Cybercrime Syndicates: Increased focus on ransomware-as-a-service (RaaS) operations, data exfiltration for extortion, and financial fraud, with highly adaptable tactics.
VI. MALWARE SPOTLIGHTS
Myth Stealer: A new information stealer written in the Rust programming language. It is primarily distributed through fake gaming websites and Discord, disguised as cheat tools or beta versions of games. Once executed, it steals a wide range of data, including browser credentials, cryptocurrency wallet information, and system details. Its authors are actively developing it, adding features to evade antivirus detection.
SafeLocker Ransomware: A new ransomware strain discovered on underground forums. It targets Windows systems, encrypting files and appending a .8xUsq62 extension. It drops a ransom note named OpenMe.txt and demands payment in Bitcoin. Its emergence signifies the continued innovation and splintering within the ransomware ecosystem.
New Variant of Emotet: A highly evasive and modular malware, observed distributing banking trojans and ransomware. Its updated obfuscation techniques make detection challenging.
Rise of Infostealer X: A novel information-stealing malware targeting credentials, cryptocurrency wallets, and sensitive documents. It leverages sophisticated anti-analysis techniques to evade security solutions.
Evolution of BlackCat/ALPHV Ransomware: This ransomware group continues to refine its tactics, including double extortion schemes and targeting Linux-based systems.
VII. RECOMMENDATIONS
For Technical Audiences:
Immediate Actions (Next 24-48 Hours):
Patch Critical Vulnerabilities: Prioritize the deployment of patches for CVE-2025-33053 on all internet-facing Microsoft servers. Expedite patching for all other critical vulnerabilities released in the June 2025 updates.
Audit Remote Access Software: Immediately identify any instances of SimpleHelp RMM software in your environment, including those bundled with third-party applications. If versions 5.5.7 or earlier are found, update immediately or isolate the systems if a patch cannot be applied.
Scan for IOCs: Ingest the IOCs provided in the appendix into your SIEM, EDR, and threat intelligence platforms to hunt for related activity.
Conduct security audits of cloud configurations: Regularly review and audit cloud environments to identify and remediate misconfigurations.
Isolate and segment critical systems: Implement network segmentation to limit lateral movement of attackers.
Strategic Improvements:
Harden RMM and Third-Party Tools: Implement strict access controls, multi-factor authentication (MFA), and outbound traffic monitoring for all third-party management tools.
Review Supply Chain Security: Re-evaluate the security posture of critical vendors and MSPs. Ensure they have robust vulnerability management programs and establish a comprehensive Third-Party Risk Management (TPRM) program.
Enhance Email Security: Configure email gateways to block or quarantine LNK files and other uncommon attachment types used by groups like MISSION2025.
Implement advanced threat detection and response solutions: Deploy EDR and SIEM solutions to improve threat visibility and accelerate incident response.
For Non-Technical Audiences:
1. Security Awareness:
Vigilance Against Phishing: Exercise extreme caution with unsolicited emails, especially those creating a sense of urgency or offering unexpected game downloads or software tools. Do not open attachments or click links from unknown senders.
Verify Authenticity: If an email appears to be from a known contact but seems unusual, verify it through a separate communication channel (e.g., a phone call).
Strong Password Practices: Use strong, unique passwords for every account and enable Multi-Factor Authentication (MFA) wherever possible.
Secure Browsing Practices: Be mindful of websites visited and information shared online. Avoid clicking on suspicious pop-ups or downloading files from untrusted sources.
2. Incident Response Preparedness:
Know How to Report: Ensure all employees know how to immediately report suspicious emails or computer behavior to the IT or Security department.
Data Backups: Understand the importance of regular, offline backups. This is the most effective defense against data loss from a ransomware attack.
Understanding Security Policies: Familiarize yourself with organizational security policies and guidelines, including data handling procedures and acceptable use policies.
VIII. ANALYST NOTES
Confirmed Intelligence: The exploitation of CVE-2025-33053 is confirmed by CISA and Microsoft. The link between SimpleHelp vulnerabilities and ransomware attacks is also confirmed.
Emerging Threats: The Myth Stealer and SafeLocker malware families are new and evolving. We assess with high confidence that their use will grow as their developers refine them and build distribution networks.
Insight: The convergence of supply chain attacks (SimpleHelp RMM) and the use of legitimate services for C2 (APT41) highlights a significant trend. Attackers are successfully turning trusted infrastructure against their targets. This necessitates a shift towards a Zero Trust security model, where no connection or application is implicitly trusted, regardless of its origin.
Trend Analysis: The convergence of various attack vectors, such as ransomware, supply chain exploitation, and social engineering, suggests a need for integrated defense strategies rather than siloed security measures.
AI Evolution: The rapid evolution of AI-powered tools for both offense and defense is likely to reshape the cybersecurity landscape, requiring continuous adaptation and innovation in security practices.
IX. THREAT INDICATOR APPENDIX
This appendix contains technical indicators associated with threats discussed in this report. These should be used to enhance defensive measures.
Confirmed Indicators:
Indicator Type
Indicator
Associated Threat
Malware
Myth Stealer
Various Hashes (contact MCS for latest list)
Malware
SafeLocker Ransomware
Filename: OpenMe.txt, Extension: .8xUsq62
Vulnerability
CVE-2025-33053
Microsoft WebDAV
Threat Actor TTP
MISSION2025 (APT41)
Inbound traffic from unknown sources to Google Calendar/Drive APIs, LNK files in ZIP archives from external sources
X. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
