The week of June 16 to June 23, 2025, was quite busy in the world of cybersecurity. We saw a lot of serious incidents and new, clever ways that cybercriminals are trying to break into systems. Here’s a quick rundown of the main things we noticed:
Key Highlights
Massive Data Leaks: An alarming discovery this week revealed billions of login credentials, primarily sourced from personal devices infected with “infostealer” malware. This highlights a pervasive issue where individual compromises collectively form a vast repository of exposed sensitive data, significantly increasing the risk of widespread account takeovers and credential stuffing attacks across various online services.
Destructive Ransomware: The emergence of “Anubis” ransomware, notably equipped with a “wiper” capability, signals a concerning escalation in ransomware tactics. This dual threat can not only encrypt critical files for ransom but also permanently erase them, rendering recovery impossible even if a payment is made. This aggressive approach, alongside continued double extortion activities by groups like Chaos, demands a re-evaluation of current data resilience and incident response strategies.
Actively Exploited Vulnerabilities: The period saw active exploitation of both newly discovered “zero-day” vulnerabilities (affecting high-profile systems like Apple iOS and Microsoft WebDAV) and older, well-known weaknesses (such as those in Linux Kernels and End-of-Life TP-Link routers). This persistent exploitation underscores the critical importance of immediate and thorough patching, as well as a robust vulnerability management program that extends to all devices, regardless of age or perceived criticality.
Geopolitical Cyber Warfare: Cyber warfare continued to be a prominent feature of the global landscape, with nation-state actors consistently leveraging sophisticated cyberattacks for political motivations. Incidents such as the Iran-linked attack on Albania’s capital, Tirana, demonstrated direct impacts on government services and citizen data, emphasizing the increasing role of cyberspace as a theater for international conflict and its direct consequences on critical infrastructure worldwide.
AI-Augmented Threats: Threat actors are increasingly integrating Artificial Intelligence (AI) into their operations to enhance the sophistication and evasiveness of their attacks. This includes using AI to refine malware (as seen with ScopeCreep’s development by Russian-linked hackers) and to craft more convincing and personalized social engineering lures (like those observed in BrowserVenom campaigns). This trend presents new challenges for defenders, necessitating accelerated investment in AI-driven security tools and the implementation of AI security guardrails.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
Key Observations:
The Ransomware-as-a-Service (RaaS) model continues to expand, facilitating new actor entry and offering destructive capabilities (e.g., Anubis’s wiper mode).
There is a persistent focus on critical infrastructure sectors and entities handling sensitive data, making them prime targets for both financial gain and disruption.
Techniques for evasion, data exfiltration, and rapid encryption are being enhanced, with new malware families incorporating sophisticated anti-analysis and persistence mechanisms.
Mobile devices are increasingly targeted with advanced “zero-click” spyware and proxyware.
Supply Chain and Cloud Security Risks:
Third-Party Vendor Vulnerabilities:
Adidas: Exposed customer contact details due to a compromise of a third-party customer service provider.
Commvault (Metallic): CISA warned of potential access to client secrets in their Microsoft 365 backup SaaS solution hosted in Azure, exploited by a government-backed group.
Managed Service Providers (MSPs): DragonForce ransomware group actively exploited vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to breach MSPs and then attack their clients.
Software Supply Chain Threats:
Water Curse Group: Used weaponized GitHub repositories to deliver multi-stage malware through malicious Visual Studio project files, targeting developers, red teams, and gamers.
Wazuh: A critical vulnerability (CVE-2025-24016) in Wazuh (a security monitoring platform) was actively exploited by Mirai botnets, highlighting the risk of vulnerabilities in security tools themselves.
Secure Boot Bypass: A critical Secure Boot bypass (CVE-2025-3052) affecting nearly all PCs was caused by a legitimate BIOS update utility, enabling highly persistent bootkits.
Cloud Infrastructure Implications:
Beyond the Commvault incident, CISA alerts highlight broader SaaS attacks targeting cloud infrastructures with default settings and high permissions.
Organizations must meticulously review application registrations, service principals, and audit logs in cloud environments (e.g., Microsoft Entra) for misconfigurations or unusual activity.
III. NOTABLE INCIDENTS AND DATA BREACHES
The week saw several significant data exfiltration incidents and high-profile breaches, attracting public and media attention, and emphasizing the ongoing challenges in data protection.
16 Billion Login Credentials Leak: An aggregation of stolen credentials from infostealer malware on personal devices.
Optima Tax Relief: Suffered a major data breach and 69 GB corporate/customer file leak by the Chaos ransomware gang.
23andMe: Continued fallout from a prior breach, with nearly 156,000 UK users’ personal and health data compromised.
Texas Department of Transportation (TxDOT): Account compromise led to the leak of nearly 300,000 crash records, including sensitive personal data.
Sensata Technologies: Experienced a ransomware-related data breach, exposing PII/PHI of 15,630 current and former employees and their families.
Yes24 (South Korea): A ransomware attack caused a 4-day service outage for the ticketing platform, disrupting K-pop events.
United Natural Foods (UNFI): A cyberattack disrupted order processing and fulfillment, leading to grocery shortages in the supply chain.
Tirana City Government (Albania): Cyberattack by Iran-linked “Homeland Justice” paralyzed municipal services and leaked data of ~800,000 residents.
DDoS Attacks: Tageblatt (Luxembourg newspaper) and Paris Air Show websites were hit by Distributed Denial of Service attacks.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date
Incident/Type
Affected Organization/Target
Key Impact
Threat Actor (if known)
June 18–19
Data Leak (Infostealer)
16 Billion Login Credentials (Aggregate)
16 billion credentials leaked from personal devices (Apple ID, Google, Facebook, etc.)
Intermittent app/website interruptions, internal systems affected
Unspecified
June 16
DDoS Attack
Tageblatt (Luxembourg)
Website unavailable
Unidentified
June 16
DDoS Attack
Paris Air Show Website (France)
Website unavailable
Unidentified
June 21
Cyberattack
Tirana City Government (Albania)
Municipal services paralyzed, server login credentials, ~800K residents’ details leaked
Homeland Justice (Iran-linked)
June 2025
Cyberattack
North Delhi Hospitals (India)
Unspecified disruption to two hospitals
Unidentified
June 2025
Cyber Incident
Radford City Public Schools (Virginia, USA)
Unspecified disruption
Unidentified
June 16
Claimed Breach
Bank Sepah (Iran)
Claimed breach amid military escalation
Pro-Israel hackers
V. CURRENT THREAT LANDSCAPE ANALYSIS
Emerging Trends:
Increased Targeting of Remote Work Environments: The prevalence of infostealer malware affecting personal devices highlights the extended attack surface posed by remote work. As organizations continue to adopt hybrid or fully remote models, the perimeter extends to less controlled home networks and personal devices, which may lack enterprise-grade security controls. This creates new entry points for attackers to compromise corporate credentials and access internal systems.
Noteworthy Upticks in Social Engineering Attacks: Many incidents, including Microsoft WebDAV RCE exploitation and BrowserVenom distribution, relied on social engineering to trick users. Attackers are increasingly sophisticated in their psychological manipulation, using tactics like highly personalized phishing (spear phishing), baiting with enticing content (e.g., fake AI platforms), and pretexting (impersonating trusted individuals or entities) to bypass technical defenses and exploit human trust.
AI as a Dual-Use Tool: Generative AI is being leveraged by attackers to refine malware (e.g., ScopeCreep) and craft more convincing social engineering lures, while also posing new challenges for defenders to implement AI security guardrails. AI can automate reconnaissance, generate polymorphic malware variants that evade detection, create deepfake audio/video for highly credible phishing campaigns, and even help in exploiting vulnerabilities by identifying patterns in code. For defenders, this necessitates investing in AI-driven security tools and developing new frameworks to secure AI models themselves from adversarial attacks.
Focus on OT/ICS: CISA’s continued ICS advisories underscore the critical and ongoing vulnerabilities in industrial control systems. These operational technology (OT) and industrial control systems (ICS) environments, often found in critical infrastructure sectors like energy, water, and manufacturing, are increasingly attractive targets due to their potential for high-impact physical disruption, safety incidents, and widespread economic consequences. Many ICS/OT systems use legacy software and hardware that are difficult to patch, making them inherently vulnerable.
Persistent Supply Chain Compromise: Attacks on third-party vendors and software supply chains (e.g., Water Curse, MSPs via SimpleHelp RMM) remain a high-impact vector. By compromising a single trusted link in the supply chain (e.g., a software vendor, a managed service provider, or an open-source library), attackers can gain access to multiple downstream organizations. This approach maximizes an attacker’s reach and impact, making it a highly efficient method for large-scale breaches and disruptions.
VI. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Product/Service
Description
Severity
Exploitation Status
Recommended Action
CVE-2025-43200
Apple Multiple Products (iOS/iPadOS)
Unspecified vulnerability, exploited by Graphite spyware via zero-click iCloud Links.
Critical
Actively Exploited (Zero-Day)
Update to iOS 18.3.1 (or later). Implement Mobile Threat Defense (MTD) solutions.
CVE-2023-33538
TP-Link Multiple Routers (EoL models)
Command Injection in /userRpm/WlanNetworkRpm component.
High
Actively Exploited
Discontinue use or replace affected End-of-Life (EoL) devices. Implement network segmentation.
CVE-2023-0386
Linux Kernel (OverlayFS subsystem)
Improper Ownership Management leading to Privilege Escalation.
High
Actively Exploited
Update to Linux kernel 6.2-rc6 or later. Monitor for privilege escalation attempts.
CVE-2025-33053
Microsoft WebDAV
Remote Code Execution (RCE) via social engineering.
Important
Actively Exploited (Zero-Day)
Apply Microsoft patches immediately. Enhance endpoint protection and user awareness training.
CVE-2025-33073
Windows SMB Client
Elevation of Privilege (EoP) via crafted script.
Important
Publicly Disclosed
Apply Microsoft patches immediately. Prioritize rapid patching for critical vulnerabilities.
CVE-2025-33070
Windows Netlogon
Elevation of Privilege (EoP) to Domain Admin.
Critical
Exploitation More Likely
Apply Microsoft patches immediately. Secure Active Directory with strong access controls and regular auditing.
Apply Microsoft patches immediately. Strengthen email/document security with sandboxing and advanced threat protection.
CVE-2025-3052
Secure Boot (Microsoft UEFI CA 2011)
Bypass via legitimate BIOS update utility.
Critical
Disclosed/Patched
Apply Microsoft patches to revoke vulnerable hashes. Focus on firmware and hardware integrity.
CVE-2025-23121
Veeam Backup & Replication
Remote Code Execution (RCE) (Bypass of prior patch), allows authenticated domain user to run code on backup server.
Critical
Actively Exploited
Upgrade Veeam Backup & Replication to the latest version immediately. Isolate backup infrastructure.
CVE-2025-24016
Wazuh (versions 4.4.0-4.9.0)
Insecure Deserialization leading to RCE.
Critical
Actively Exploited
Update Wazuh to version 4.9.1 or later. Apply rigorous security standards to security tools themselves.
CVE-2023-28771
Zyxel IKE Packet Decoders
Remote Code Execution (RCE) over UDP port 500, allows unauthenticated remote code execution.
High
Actively Exploited
Apply firmware patches. Limit SSH exposure and implement strict network segmentation for perimeter devices.
VII. THREAT ACTOR ACTIVITIES
This week, known and emerging threat actors continued their operations, showcasing adaptability, sophisticated tactics, and a focus on high-impact attacks.
DragonForce Ransomware: Observed exploiting unpatched SimpleHelp RMM software to breach Managed Service Providers (MSPs) and launch double extortion campaigns against their clients, highlighting a dangerous supply chain attack vector.
Paragon Solutions (Graphite Spyware): The Israeli firm’s Graphite spyware was confirmed by Citizen Lab to be used against European journalists, exploiting a “zero-click” iOS vulnerability via iCloud Links for highly intrusive surveillance.
Chaos Ransomware Gang: Responsible for the data breach at Optima Tax Relief, leaking 69 GB of sensitive corporate and customer files, adhering to their double extortion model.
Scattered Spider: Google’s Threat Intelligence Group reported this group has shifted focus from retail to the U.S. insurance industry, using sophisticated social engineering (impersonating IT staff) and exploiting Salesforce tools for access and data exfiltration.
Mirai Botnets: Remained highly active, exploiting various vulnerabilities (e.g., Wazuh, Zyxel IKE decoders) to build large botnets for Distributed Denial of Service (DDoS) attacks and malware deployment.
Homeland Justice (Iran-linked): This group, tied to Iran’s Revolutionary Guard Corps, launched a destructive cyberattack on Tirana, Albania’s capital, disrupting city services and leaking sensitive data, as a clear example of politically motivated nation-state activity.
INTERPOL’s Operation Secure: A coordinated international effort from January to April 2025 led to the dismantling of over 20,000 malicious IP addresses and domains linked to 69 info-stealing malware strains, resulting in 32 arrests and significant server seizures. This highlights successful law enforcement collaboration.
VIII. MALWARE ANALYSIS
Featured Malware Families:
Datarip Ransomware: A new strain linked to MedusaLocker, employing strong encryption, double extortion (data theft), and advanced evasion techniques targeting Windows systems.
Anubis Ransomware: A Ransomware-as-a-Service (RaaS) operation active since December 2024, notably adding a “wiper” capability for permanent file erasure alongside encryption, targeting healthcare, hospitality, and construction sectors.
PumaBot: A new Go-based Linux botnet specifically targeting embedded Linux IoT devices through targeted SSH brute-forcing, credential theft, and cryptocurrency mining, with sophisticated evasion techniques.
ScopeCreep: A Go-based malware linked to Russian hackers, reportedly enhanced using AI (ChatGPT accounts) for improved evasion, privilege escalation, and sensitive data exfiltration, distributed via trojanized applications.
Water Curse: A newly identified threat group using weaponized GitHub repositories to deliver multi-stage malware through malicious Visual Studio projects, primarily targeting red teams, developers, penetration testers, and gamers.
DragonHash: A proof-of-concept tool that exploits the drag-and-drop feature in Chromium browsers to stealthily steal NTLM hashes (Windows credentials) without user interaction, enabling offline cracking or relay attacks.
SVCStealer: A C++ based information stealer active since January 2025, designed to collect browser credentials, cryptocurrency wallets, personal files, and system information.
GorillaBot: A Mirai-based trojan primarily used to carry out large-scale Distributed Denial of Service (DDoS) attacks by compromising IoT devices.
BrowserVenom: A new malware leveraging global interest in AI platforms by luring victims to fake AI websites, acting as malicious “proxyware” to reroute all browser traffic through attacker-controlled servers, enabling data interception and broader malicious activities.
IX. RECOMMENDATIONS
For Technical Audiences:
Immediate Actions (24-48 Hours):
Prioritized Patching: Immediately apply all critical patches from Microsoft’s June 2025 Patch Tuesday, especially for WebDAV RCE, Windows Netlogon EoP, and Microsoft Office RCEs (particularly those exploitable via Preview Pane).
CISA KEV Vulnerability Remediation: Prioritize patching or mitigating all vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, including CVE-2025-43200 (Apple), CVE-2023-33538 (TP-Link EoL Routers), and CVE-2023-0386 (Linux Kernel). Replace EoL devices.
Application-Specific Updates: Upgrade Veeam Backup & Replication to the latest version (CVE-2025-23121) and Wazuh to version 4.9.1 or later (CVE-2025-24016) without delay.
Endpoint & Mobile Defense: Deploy advanced Endpoint Detection and Response (EDR) and Mobile Threat Defense (MTD) solutions on all devices to counter sophisticated malware and zero-click exploits.
Cloud Configuration Audit: Conduct immediate security audits of cloud configurations, especially in Microsoft 365 environments, focusing on application permissions, service principals, and audit logs.
Strategic Improvements:
Enhanced IAM Practices: Enforce strong, unique passwords and mandatory Multi-Factor Authentication (MFA) for all accounts, particularly those with privileged access to sensitive data and cloud environments.
Robust Data Backup & Recovery: Implement and regularly test a comprehensive data backup and recovery strategy, ensuring backups are immutable, isolated, and offsite to withstand destructive ransomware (like Anubis).
Supply Chain Security Program: Develop and mature a robust supply chain security program, including thorough security assessments and continuous monitoring of all third-party vendors (especially MSPs) and software components.
Network Segmentation: Implement strict network segmentation, particularly for OT/ICS environments, IoT devices, and backup infrastructure, to limit lateral movement in case of a breach.
Email & Browser Hardening: Implement advanced email security (sandboxing, anti-phishing, anti-spoofing) and strict browser security policies to mitigate risks from social engineering, infostealers, and new browser-based exploits (e.g., DragonHash, BrowserVenom).
For Non-Technical Audiences:
Security Awareness:
Phishing Vigilance: Be highly cautious of suspicious emails, messages, or calls. Cybercriminals often pretend to be trusted sources (like IT support or popular AI platforms) to trick you into clicking malicious links or downloading infected files. Always verify the sender.
Strong Password Practices & MFA: Use unique, strong passwords for all online accounts. Enable Multi-Factor Authentication (MFA) wherever possible – this adds an extra layer of security beyond just your password.
Software Updates: Keep all your devices and applications updated. These updates often contain critical security fixes that protect you from the latest threats. If a device or application is very old and no longer receives updates, consider replacing it.
Mobile Device Safety: Be mindful of what you click or download on your phone or tablet. Mobile devices are increasingly targeted.
Incident Response Preparedness:
Reporting Suspicious Activities: If you notice anything unusual – a strange email, an unexpected pop-up, or your device behaving oddly – report it immediately through your organization’s designated channels. Early reporting can prevent a minor incident from becoming a major breach.
Data Backup Importance: Understand the importance of regular data backups. If your personal or work files were to be encrypted or deleted by ransomware, backups are your only way to recover them.
Understanding Third-Party Risks: Be aware that even services you trust (like customer service providers or cloud platforms) can be compromised, potentially exposing your data. This highlights why good password habits and MFA are crucial across all your online interactions.
X. ANALYST NOTES
The cybersecurity landscape between June 16 and June 23, 2025, clearly indicates a significant evolution in adversary capabilities and an escalation in the impact of cyberattacks. The sheer scale of credentials exposed by infostealers highlights the “human element” as the most critical vulnerability, requiring a fundamental shift in user behavior through continuous, adaptive education. The emergence of destructive ransomware with “wiper” capabilities (Anubis) signifies a move beyond mere financial extortion to pure disruption or state-sponsored camouflage, demanding organizations re-evaluate their recovery strategies to account for irreversible data loss.
The widespread active exploitation of both recent “zero-day” and older, known CVEs underscores that merely identifying vulnerabilities is insufficient; the bottleneck often lies in patching velocity and the lifecycle management of legacy systems. Furthermore, the explicit leveraging of Generative AI by sophisticated threat actors like the Russian-linked ScopeCreep group, and AI-themed lures for infostealers like BrowserVenom, confirms that AI is firmly in the hands of adversaries. This necessitates a proactive investment in AI-driven defensive solutions and a deep understanding of AI’s implications for both offense and defense. The increasing intersection of geopolitics with cyber operations means organizations must elevate their threat intelligence capabilities to anticipate and defend against nation-state TTPs, as they may become collateral damage or direct targets in broader conflicts. The fight for cybersecurity resilience is no longer just about technology; it’s about people, process, and proactive intelligence
XI. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
