HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 23 June 2025 – 27 June 2025

Issue: 20th Edition

Security Triumphs of the Week

This week saw significant law enforcement actions against cybercrime, including French police arresting five BreachForums administrators linked to high-profile breaches and a former Western Sydney University student charged with multi-year cyberattacks. A Kansas City hacker admitted sabotaging organizations to promote his services, while Leeds United and Reflectiz emphasized proactive security post-Magecart attack. Despite these triumphs, experts caution that persistent vulnerabilities, evolving threats like AI-driven spam, and the potential resurgence of cybercrime forums underscore the need for sustained vigilance and collaboration.

French Police Reportedly Bust Five BreachForums Administrators
French police arrested five administrators of the cybercrime forum BreachForums, known for trading stolen data and hacking tools. The suspects, using handles like IntelBroker and ShinyHunters, were tied to breaches impacting major organizations, including France’s Ministry of Education, Accor, and Dior. Coordinated raids targeted individuals aged 20–23 in Paris suburbs and overseas territories. BreachForums, previously led by U.S. national Conor Fitzpatrick (Pompompurin), persisted despite FBI takedowns, with new administrators relaunching the site. While the arrests disrupt a key cybercrime hub, experts warn new actors may fill the void. One suspect is reportedly a British national.
Read full article: Bankinfosec

Leeds United and Reflectiz Partner to Share Insights on Proactive Web Security After
Cyber Attack Leeds United FC and Reflectiz are hosting a webinar on July 2nd, 2025, to discuss proactive web security following a Magecart attack on the club’s online shop in February 2025. Graham Peck, Leeds United’s Head of IT and Security, will share insights into the attack’s impact and remediation steps, while Reflectiz’s Isaac Model will address client-side vulnerabilities and mitigation strategies. Key topics include Magecart threats, supply chain visibility, and transitioning from reactive to proactive security. The session aims to provide actionable guidance for IT, cybersecurity, and e-commerce professionals to enhance online platform security. Registration is available via Reflectiz’s website.
Read full article: Gbhackers

University Student Charged for Alleged Hacking and Data Theft
A 27-year-old former Western Sydney University student was charged with 20 cyber offences following a multi-year investigation into cyberattacks targeting the university since 2021. The attacks allegedly began as attempts to exploit parking systems but escalated to unauthorized data access, altered academic records, and threats to sell stolen student information on the dark web. NSW Police’s Strike Force Docker, collaborating with federal agencies and cybersecurity experts, identified the suspect, seizing devices during a raid. Hundreds were impacted by breaches involving data theft and system compromises, raising privacy and operational concerns. The accused, denied bail, faces charges including unauthorized data access, deception, and attempted financial gain. Investigations continue to assess the full breach impact.
Read full article: Gbhackers

Kansas City Man Pleads Guilty After Hacking to Promote His Cybersecurity Services
A Kansas City man, Nicholas Michael Kloster, pleaded guilty to hacking three organizations in 2024 to promote his cybersecurity services. He physically breached a health club, manipulated its systems to reduce his membership fee, stole a staff badge, and later emailed the owner offering his services. Kloster also hacked a nonprofit using a boot disk to bypass security, installed a VPN for remote access, and caused costly damage. Additionally, he misused his former employer’s credit card to buy hacking tools. His actions included social media posts flaunting unauthorized access to security systems. Kloster faces up to five years in prison, fines, restitution, and supervised release. The FBI and Kansas City Police investigated the case.
Read full article: Gbhackers

Former US Army Sergeant pleads guilty after amateurish attempt at selling secrets to China
A former US Army sergeant, Joseph Schmidt, pleaded guilty to attempting to sell classified information to China using amateurish methods, including emails from personal accounts and public web searches. Critical vulnerabilities were disclosed in libxml2, including denial-ofservice and code execution risks, with some requiring code removal for fixes. Citrix patched critical flaws in NetScaler products, while CISA flagged a TP-Link router exploit. AI-driven spam now accounts for 51% of messages, improving grammar but not content originality. Episource reported a breach exposing 5.4 million patients’ sensitive health and insurance data. A Linux exploit chain (PAM/libblockdev) allows root access on major distros, requiring urgent configuration changes.
Read full article: Theregister

Security Setbacks of the Week

This week saw escalating cyberthreats across sectors, with ransomware groups targeting healthcare (NHS Synnovis, McLaren, NRS), aviation (Hawaiian Airlines), and critical infrastructure (Nucor, UNFI), causing operational disruptions and data breaches. Thirdparty vulnerabilities amplified risks, as seen in supply chain attacks on Glasgow City Council and Ahold Delhaize. Financial institutions faced sophisticated DDoS campaigns, while MOVEit systems experienced renewed exploitation attempts. Repeat breaches at firms like McLaren highlight persistent security gaps, and the release of REvil operatives underscores legal challenges in combating cybercrime. Global entities urged proactive patching, vendor scrutiny, and maturity frameworks to counter evolving threats.

Breach Roundup: UK NHS Links Patient Death to Ransomware Attack
A ransomware attack on UK NHS provider Synnovis, attributed to Qilin, caused critical service disruptions linked to a patient’s death. Chinese group Salt Typhoon targeted Canadian telecoms via Cisco vulnerabilities, while Russian APT28 deployed novel backdoors (Beardshell, Slimagent) in Ukraine through Signal. SAP and Citrix patched critical flaws exposing sensitive data, including Citrix Bleed 2. Suspected Chinese actors used Microsoft ClickOnce to attack energy sectors with RunnerBeacon malware. Brother printers face an unfixable authentication bypass flaw (CVE-2024-51978) affecting 689 models. Ransomware hit US Dairy Farmers of America, disrupting operations, while Iranian hackers disrupted Albanian public services. EU experts urged infrastructure takedowns against Chinese and North Korean cyberthreats.
Read full article: Bankinfosec

Nationwide Recovery Service Hack Grows to 500,000 Victims
A 2024 cyberattack on debt collector Nationwide Recovery Service (NRS) has impacted over 500,000 individuals, with healthcare providers and patients across the U.S. affected. The breach, involving unauthorized access to NRS systems between July 5-11, 2024, exposed sensitive data including names, Social Security numbers, birthdates, and medical debt details. Multiple hospitals and medical practices, such as Select Medical Holdings and UChicago Medicine, reported breaches tied to the incident. NRS initially underreported the scale, with client disclosures revealing escalating victim counts. The breach highlights risks posed by third-party vendors in healthcare, as business associates remain frequent targets for cybercriminals. NRS faces multiple class-action lawsuits over the incident.
Read full article: Bankinfosec

McLaren Health Says 743,000 Affected by 2024 Ransomware Hack
McLaren Health reported a 2024 ransomware attack by Inc. Ransom impacting 743,000 individuals, marking its second major breach in two years. The attack compromised sensitive data, including Social Security numbers and medical records, and disrupted operations, forcing temporary use of manual systems. This follows a 2023 breach by the AlphV/BlackCat gang affecting 2.1 million people. Experts suggest repeat attacks may stem from unresolved vulnerabilities, such as backdoors or insufficient security controls. McLaren’s recovery involved forensic reviews and system shutdowns, but gaps in addressing initial access methods (e.g., phishing, credential abuse) likely persist. The incident highlights ongoing challenges in healthcare cybersecurity.
Read full article: Bankinfosec

DDoS Attack on Financial Sector Triggers Multi-Day Service Outages
A joint FS-ISAC and Akamai report highlights a surge in sophisticated DDoS attacks targeting the financial sector, exploiting vulnerabilities in digital infrastructure like APIs. These attacks, increasingly multi-dimensional and persistent, mimic legitimate traffic to disrupt critical services such as online banking, causing multi-day outages and reputational damage. A 2024 coordinated campaign notably crippled multiple banks, emphasizing the strategic threat posed by modern DDoS tactics. Financial institutions face heightened risks due to reliance on interconnected systems, with attackers tailoring methods to specific business models. To address this, the report introduces a DDoS Maturity Model, guiding firms to assess defenses, close gaps, and prioritize cybersecurity investments. Proactive adoption of such frameworks is urged to mitigate escalating threats to operational stability.
Read full article: Gbhackers

Steel Giant Nucor Suffers Cyberattack, IT Systems Breached
Nucor Corporation, North America’s largest steel producer, experienced a significant cyberattack in early May, disrupting operations across multiple facilities and leading to limited data theft. The breach prompted immediate shutdowns of affected IT systems and temporary production halts at several sites within its 300-location network. Nucor engaged cybersecurity experts, law enforcement, and regulators, restoring operations and securing systems by mid May. While no financial impact is anticipated, risks of regulatory scrutiny, litigation, and reputational damage remain. The incident underscores growing vulnerabilities in industrial supply chains to sophisticated cyber threats, despite proactive response measures and enhanced defenses.
Read full article: Gbhackers

Hawaiian Airlines Targeted in Cyberattack, Systems Compromised
Hawaiian Airlines experienced a significant cybersecurity incident disrupting parts of its IT systems, though flight operations remained unaffected and no safety risks were reported. The airline engaged authorities and cybersecurity experts to investigate and restore systems but did not disclose specific compromised areas or confirm if customer data was exposed. While the term “cybersecurity event” often implies ransomware, no group claimed responsibility, and the airline has not confirmed ransomware involvement. The FAA confirmed no safety impact, and the airline’s website and app appeared functional. This follows a similar attack on Canada’s WestJet, underscoring rising cyber threats in aviation reliant on complex IT infrastructure. Updates are promised as the investigation progresses.
Read full article: Gbhackers

MOVEit Transfer Systems Hit by Wave of Attacks Using Over 100 Unique IPs
A significant surge in attacks targeting MOVEit Transfer systems has been observed, with over 680 unique IPs detected in 90 days, peaking at 319 daily IPs by May 28, 2025. Attack infrastructure is concentrated in Tencent Cloud (44%), Cloudflare, Amazon, and Google, suggesting coordinated efforts. Most scans originate from the U.S., targeting the U.K., U.S., Germany, France, and Mexico. Exploitation attempts leveraging known vulnerabilities (CVE-2023-34362, CVE-2023-36934) were observed on June 12, though widespread breaches remain unconfirmed. Attackers likely probe for weaknesses to launch data breach campaigns, mirroring past MOVEit zero-day exploits. Experts urge immediate patching, IP blocking, and system monitoring to mitigate risks amid evolving threats.
Read full article: Gbhackers

Data spill in aisle 5: Grocery giant Ahold Delhaize says 2.2M is affected after cyberattack
Ahold Delhaize, a global grocery retailer, confirmed a November 2023 cyberattack exposed data of 2.24 million individuals, primarily current and former employees. Compromised data includes names, contact details, government IDs, financial accounts, and health/employment records. The breach, linked to ransomware group INC Ransom, disrupted operations, affecting pharmacy services and deliveries. The company notified affected individuals via Maine’s Attorney General, offering two years of credit monitoring. While Ahold Delhaize hasn’t officially labeled it ransomware, experts suspect it based on leaked documents and prior claims by the attackers. The incident highlights risks to large retail supply chains and sensitive employee data.
Read full article: Theregister

Glasgow City Council online services crippled following cyberattack
A cyberattack on Glasgow City Council, initiated on June 19, 2025, disrupted numerous online services due to a supply chain breach involving a third-party supplier. Critical systems were isolated as a precaution, affecting services like permit applications, bin calendars, tax complaints, and planning portals. While financial systems remained secure, the council cannot confirm if data was stolen but warned residents of potential phishing risks. Investigations involving Police Scotland and national cybersecurity agencies are ongoing. The incident follows similar attacks on UK councils, highlighting vulnerabilities in public sector IT infrastructure. Residents are advised to remain vigilant and report suspicious activity to authorities.
Read full article: Theregister

Fake Bank Ads on Instagram Scam Victims Out of Money
United Natural Foods (UNFI), a major supplier for Whole Foods, restored core systems after a June 5 cyberattack disrupted operations, including electronic ordering and invoicing. The incident led to reduced sales, increased costs, and material financial impacts on Q4 2025 results. UNFI contained the breach, resumed normalized deliveries, and engaged external cybersecurity experts and law enforcement. No personal or health data was compromised, so consumer notifications are not expected. The company anticipates cybersecurity insurance will cover costs, though claims may extend into 2026. This follows a trend of attacks on food industry firms, including Sam’s Club and JBS Foods.
Read full article: Bleepingcomputer

M&S and Co-op hacks publicly defined as a single attack – and could cost more than £400 million
The Cyber Monitoring Centre (CMC) has classified the 2025 cyberattacks on UK retailers Marks & Spencer (M&S) and Co-op as a single coordinated event by the threat actor Scattered Spider, citing shared tactics, timing, and responsibility claims. The combined financial impact is estimated to be between £270-440 million, driven primarily by business disruption, data loss, and recovery costs. Both firms faced IT system takedowns, with M&S projecting £300 million in lost profits. Stolen data included customer addresses, phone numbers, and birthdates, but excluded payment details. The CMC excluded Harrods’ concurrent attack due to insufficient information. The incident highlights systemic risks to supply chains and partners beyond the direct targets.
Read full article: Techradar

Four REvil ransomware crooks walk free, escape gulag fate, after admitting guilt
Four REvil ransomware members—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—were released from Russian custody after serving reduced five-year sentences in labor camps, credited to time spent in pre-trial detention and guilty pleas. They forfeited assets, including cars and over $1 million. Four other REvil suspects received harsher sentences (4.5–6 years) after refusing plea deals. The arrests followed a 2022 US request, amid rare US-Russia cooperation, though no extraditions occurred. Separately, Ukrainian national Yaroslav Vasinksyi was extradited to the US, receiving a 14-year sentence and $16M restitution. REvil, active until 2022, targeted high-profile entities like Kaseya and nuclear contractors.
Read full article: Theregister

The New Emerging Threats

Emerging threats highlight a surge in state-sponsored and cybercriminal activity exploiting trusted platforms, AI tools, and unpatched systems. APT groups like Blind Eagle and Chinese LapDogs leverage obfuscated malware, hijacked IoT devices, and social engineering to target critical infrastructure and anonymize espionage. AI-driven threats, including LLM-generated phishing and ClickFix attacks, amplify efficiency, while Iranian and North Korean actors escalate spear-phishing and retaliatory cyberattacks. Malware campaigns exploit vulnerabilities in WordPress, VPNs, and Discord, with credential theft and data exfiltration tactics. Proactive defense requires anomaly detection, Zero-Trust models, and user education to counter evolving adversarial tactics.

APT-C-36 Hackers Launching Cyberattacks on Government Entities, Financial Sectors, and Critical Systems
APT-C-36 (Blind Eagle) has intensified cyberattacks across Latin America, particularly targeting Colombian government, financial, and critical infrastructure sectors. The group employs phishing emails to deliver Remote Access Trojans (RATs) with obfuscated commandand-control traffic, evading traditional defenses. Since November 2024, they exploited WebDAV over HTTP port 80 to distribute malware, adapting after Microsoft patched a vulnerability (CVE-2024-43451). Recent campaigns involved malicious URLs redirecting to German IPs and dynamic DNS endpoints linked to Remcos malware. Darktrace observed rapid data exfiltration post-compromise, emphasizing the need for anomaly-based detection and autonomous response to counter evolving tactics. Blind Eagle’s persistence underscores the importance of combining patching with advanced, real-time threat mitigation.
Read full article: Gbhackers

ClickFix Attacks Soar by 500%: Hackers Intensify Use of This Manipulative Technique to Deceive Users
A sharp 517% surge in “ClickFix” attacks has been observed, exploiting users’ trust in verification processes like reCAPTCHA. This social engineering tactic tricks victims into copying malicious scripts via fake error prompts from services like Microsoft or Google, delivered through phishing emails or compromised sites. Executing these scripts deploys infostealers, ransomware, and remote access trojans. Nation-state groups like Kimsuky and Callisto employ ClickFix across multiple OS platforms, with Japan, Peru, and Poland most affected. The technique’s simplicity and dark web toolkits enable widespread use, prompting calls for enhanced user vigilance and potential security warnings from tech firms to mitigate risks.
Read full article: Gbhackers

Chinese Hackers Turn Unpatched Routers into ORB Spy Network
Chinese nation-state hackers have built a covert ORB (operational relay box) spy network by hijacking unpatched Linux-based routers and IoT devices, primarily targeting Ruckus Wireless and Buffalo Technology hardware in the U.S., Japan, South Korea, Taiwan, and Hong Kong. Dubbed “LapDogs,” the network leverages a custom backdoor called ShortLeash, which exploits known vulnerabilities (CVE-2015-1548, CVE-2017-17663) in outdated devices to establish persistence, mimic legitimate services, and relay stolen data. Forensic evidence, including Mandarin-language developer notes and infrastructure patterns, strongly links the activity to Chinese cyberespionage groups. The ORB network anonymizes attacks, evades detection, and aligns with tactics of groups like Volt Typhoon. Security researchers attribute the campaign to centralized Chinese threat actors coordinating localized tasking and infrastructure for espionage.
Read full article: Bankinfosec

Cybercriminals Exploit LLM Models to Enhance Hacking Activities
Cybercriminals are exploiting large language models (LLMs) to enhance hacking, using uncensored models like OnionGPT and custom tools like FraudGPT to generate phishing content, malware, and offensive security tools. Malicious actors bypass ethical safeguards via jailbreaking techniques (e.g., DAN prompts) or manipulate legitimate LLMs by poisoning data sources. Vulnerabilities in platforms like Hugging Face allow backdoored models to infect systems. While these AI tools amplify attack efficiency and scale, many dark web offerings are scams. The evolving misuse of LLMs underscores the need for vigilance in sourcing and securing AI systems to counter emerging cyber threats.
Read full article: Gbhackers

Threat Actors Exploit ChatGPT, Cisco AnyConnect, Google Meet, and Teams in Attacks on SMBs
Threat actors are exploiting trusted platforms like ChatGPT, Cisco AnyConnect, Google Meet, and Microsoft Teams to target SMBs through malware and phishing, per a Kaspersky report (Jan-Apr 2025). Around 8,500 SMB users encountered attacks, with Zoom (41% of cases) and Microsoft Office apps most impersonated. ChatGPT-related malicious files surged 115%, while Teams and Google Drive saw increased malicious shares. Primary threats include downloaders, Trojans, and adware, often delivered via fake software or phishing. Attackers mimic trusted services, banking portals, and use AI automation. Recommendations include endpoint security, employee training, multi-factor authentication, and strict download protocols.
Read full article: Gbhackers

Iranian Spear-Phishing Attack Impersonates Google, Outlook, and Yahoo Domains
Iranian threat actor Educated Manticore (APT42), linked to the IRGC, has escalated a global spear-phishing campaign targeting high-profile Israeli academics, journalists, and cybersecurity researchers. The group impersonates Google, Outlook, Yahoo, and media outlets via over 100 phishing domains, deploying fake login pages and social engineering to bypass multi-factor authentication. Attacks initiate through emails or WhatsApp messages, using tailored personas and AI-enhanced, grammatically precise communications to steal credentials. Recent tactics include fraudulent meeting invitations with real-world implications, such as a Tel Aviv meetup proposal. Check Point warns of heightened risks for sectors like academia and media, urging vigilance against unsolicited requests.
Read full article: Gbhackers

Threat Actors Distribute Compromised SonicWall SSL VPN NetExtender to Steal Sensitive Data
Threat actors distributed a malicious version of SonicWall’s SSL VPN NetExtender application via a fraudulent website impersonating SonicWall’s platform. The Trojanized installer, signed by “CITYLIGHT MEDIA PRIVATE LIMITED,” bypassed certificate validation checks by tampering with NeService.exe and injected NetExtender.exe to steal VPN credentials, including usernames, passwords, and domain details, exfiltrating data to a remote server. The attack risks unauthorized network access, data breaches, and lateral movement. SonicWall and Microsoft disrupted the campaign, revoking fraudulent certificates and deploying detection tools. Users are advised to download software only from official sources and employ updated security solutions like SonicWall’s Capture ATP.
Read full article: Gbhackers

Hacktivist Groups Target U.S. Companies and Military Domains in Retaliation for Iran Attacks
Pro-Iranian hacktivist groups, including Mr Hamza, Team 313, Cyber Jihad, and Keymous+, have launched retaliatory cyberattacks against U.S. military domains, defense firms, and financial institutions following U.S. airstrikes on Iranian nuclear sites. DDoS campaigns, website defacements, and navigation system disruptions were reported, with Cyble documenting attacks on 15 U.S. organizations and 19 websites. While some claims, like Team 313’s alleged breach of Truth Social, lack evidence, others provided proof of outages. The DHS warned of low-level attacks by Iran-aligned actors and potential state-backed exploitation of vulnerable devices. Cyber activity in the Middle East remains more extensive, with Iranian groups targeting Israeli entities. Cyble advises enhanced DDoS defenses and Zero-Trust models to mitigate escalating risks.
Read full article: Gbhackers

North Korean Hackers Use Malicious Zoom Apps to Execute System-Takeover Attacks
Suspected North Korean state-sponsored hackers conducted a sophisticated campaign using fake Zoom meetings to compromise systems. Attackers posed as business collaborators on LinkedIn, lured targets to Telegram, and directed them to malicious domains mimicking Zoom’s interface. Victims were tricked into executing terminal commands under the guise of resolving audio issues, potentially enabling remote access, data theft, or malware deployment. The operation, linked to groups like Lazarus, employed polished social engineering and fake infrastructure (e.g., domain usweb08.us) to appear legitimate. A June 2025 case highlighted the attackers’ urgency and evasion tactics when challenged. Experts advise verifying URLs, avoiding unverified commands, and sharing threat intelligence to counter such evolving scams.
Read full article: Gbhackers

Advanced Malware Campaign Targets WordPress and WooCommerce Sites with Hidden Skimmers
A sophisticated malware campaign targeting WordPress and WooCommerce sites was uncovered by Wordfence, involving over 20 evolving variants since September 2023. The malware employs credit card skimming, credential theft, and malicious ad manipulation, using AI-generated rogue plugins to embed live backend systems for managing stolen data. Advanced obfuscation and anti-analysis techniques evade detection, including developer tool detection, browser shortcut blocking, and debugger traps. Stolen data is encoded in Base64 and exfiltrated via fake image URLs, while fake Cloudflare verification pages deceive users. The campaign also manipulates Google Ads, replaces legitimate links, and uses Telegram for real-time data theft. Wordfence released detection signatures and tools to counter the threat, with CLI scanners detecting over 99% of samples.
Read full article: Gbhackers

Cybercriminals are targeting gamers with expired Discord invite links which redirect to malware servers – here’s how to stay safe
A cybersecurity report revealed hackers claiming to sell 61 million Verizon customer records on a Clear Web forum, containing sensitive data like names, birthdates, tax IDs, and addresses. SafetyDetectives researchers identified the 3.1GB dataset, dated as recent as 2025, suggesting a potential breach. Verizon denied the data’s legitimacy, stating it was old and unrelated to their systems, noting similar claims against other telecom firms. The breach’s origin remains unclear, though researchers deemed it plausible. Verizon previously addressed vulnerabilities, including a March 2024 call history flaw and an insider employee data breach. Experts advise vigilance against identity theft, using monitoring tools, and securing personal information.
Read full article: Techradar

Hackers claim to be selling 61 million Verizon records online, but it might not be what it seems
A sophisticated cyber campaign targets Taiwanese organizations via phishing emails impersonating government entities like the National Taxation Bureau. Attackers deliver malicious ZIP files containing multistage payloads, including the HoldingHands RAT (Gh0stBins), which exfiltrates data and enables surveillance. The infection chain uses shellcode, loaders, and encrypted configurations to evade detection, harvesting system data, user information, and registry values. The threat actor employs multiple malware variants (Winos 4.0, Gh0stCringe) in coordinated waves, suggesting state-backed, well-resourced operations. This aligns with broader trends of China-linked groups intensifying attacks on Taiwan’s government and telecom sectors. Experts emphasize the need for real-time behavioral analysis to counter evolving tactics.
Read full article: Techradar

Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across IoT, cloud, and enterprise systems dominated this week’s threat landscape, with multiple CVSS 9.8-rated flaws exposing authentication bypasses (Mitsubishi HVAC, Teleport), remote code execution (CentOS Web Panel, Aviatrix Controller), and supply-chain risks (Notepad++). High-severity weaknesses in WinRAR, Zimbra, and MongoDB highlighted persistent threats from file parsing and web client vulnerabilities, while Citrix’s zero-day exploitation underscored ongoing risks in network appliances. Recurring themes included unsecured internet-exposed devices, weak credential management, and insufficient input validation. Organizations must prioritize patching, network segmentation, and multi-factor authentication to mitigate widespread exploitation risks across hybrid environments.

Mitsubishi Electric Air Conditioning Systems Vulnerable to Remote Authentication Bypass (CVSS 9.8)
A critical vulnerability (CVE-2025-3699, CVSS 9.8) in Mitsubishi Electric air conditioning systems allows remote attackers to bypass authentication and gain unauthorized control of HVAC devices or tamper with firmware. Affected models include G-50, AE-200J, and others running outdated firmware. Exploitation is possible in systems exposed to the internet without VPN protection. Mitsubishi advises restricting network access, securing physical systems, and updating software until patches are released. The flaw, categorized under CWE-306, highlights risk in improperly secured IoT/ICS environments. Immediate mitigation is critical to prevent remote attacks.
Read full article: Securityonline

Hunt Electronic DVR Vulnerability Leaves Admin Credentials Unprotected
A critical vulnerability (CVE-2025-6561) in Hunt Electronics’ HBF-09KD and HBF-16NK hybrid DVRs exposes admin credentials in plaintext via unauthenticated access to configuration files. With a CVSS score of 9.8, attackers can exploit this flaw to gain full system control, manipulate surveillance feeds, or launch further network attacks. Affected devices include firmware versions V3.1.67_1786 BB11115 and earlier. Hunt Electronics released patched firmware (V3.1.70_1806 BB50604+), urging immediate updates, network isolation, and password resets. Unpatched systems risk surveillance compromise, data exfiltration, and lateral network breaches. Organizations must prioritize remediation to mitigate severe security and operational risks.
Read full article: Gbhackers

CentOS Web Panel Vulnerability Allows Remote Code Execution – PoC Released
A critical vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP) enables unauthenticated attackers to execute arbitrary code via command injection in the t_total parameter, bypassing authentication. Affected versions include 0.9.8.1188 and 0.9.8.1204. A public PoC exploit demonstrates remote shell access by exploiting the file manager endpoint, requiring only a valid non-root username. CWP users must urgently update to patched versions, apply security controls, and monitor for attacks. This follows prior CWP RCE flaws, emphasizing recurring risks in web management panels. Immediate mitigation is critical to prevent server compromise.
Read full article: Gbhackers

TeamViewer for Windows Vulnerability Lets Hackers Delete Files with SYSTEM Rights
A critical vulnerability (CVE-2025-36537) in TeamViewer Remote Management for Windows allows local attackers to delete arbitrary files with SYSTEM privileges, enabling privilege escalation. The flaw, with a CVSS score of 7.0, stems from improper permissions in the MSI rollback mechanism during uninstall/rollback. Affected systems include Windows installations with Backup, Monitoring, or Patch Management features enabled. Exploitation requires local access but could lead to denial of service or further system compromise. TeamViewer patched the issue in version 15.67, urging immediate updates for impacted users. The vulnerability was disclosed responsibly by Giuliano Sanfins via Trend Micro ZDI, with no active exploits reported yet.
Read full article: Gbhackers

WinRAR Vulnerability Exploited with Malicious Archives to Execute Code
A high-severity vulnerability (CVE-2025-6218, CVSS 7.8) in WinRAR for Windows allows remote code execution via maliciously crafted archives. Attackers exploit directory traversal flaws during file extraction to place malicious files in system directories like the Windows startup folder, triggering code execution upon user login or system reboot. The attack requires user interaction, such as opening a compromised archive delivered via phishing or malicious websites. All Windows versions of WinRAR (including RAR, UnRAR, and related components) are affected. RARLAB patched the flaw in version 7.12 Beta 1, urging users to update immediately. Mitigation includes avoiding untrusted archives and staying vigilant against phishing attempts.
Read full article: Gbhackers

Notepad++ Vulnerability Allows Full System Takeover — PoC Released
A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 allows attackers to gain SYSTEM-level control via a supply-chain attack. The flaw exploits the installer’s insecure search path behavior, enabling execution of malicious files placed in directories like Downloads when the installer runs. Attackers can achieve full system takeover, steal data, or deploy malware. Proof-of-concept exploits are publicly available, increasing exploitation risks. Notepad++ patched the issue in v8.8.2 by enforcing secure paths and dependencies. Users must update immediately and avoid running installers from untrusted locations. This high-severity flaw underscores the dangers of supply-chain vulnerabilities in widely used software.
Read full article: Gbhackers

Zimbra Classic Web Client Vulnerability Allows Arbitrary JavaScript Execution
A critical stored XSS vulnerability (CVE-2025-27915) in Zimbra Collaboration Suite’s Classic Web Client allows arbitrary JavaScript execution via malicious ICS calendar invites. Exploitable through insufficient HTML sanitization in ICS files, attackers can trigger code execution via a tag’s ontoggle event, risking email redirection, session hijacking, or data theft. Affected versions include ZCS 9.0 up to Patch 43, 10.0 up to 10.0.12, and 10.1 up to 10.1.4. Zimbra released patches (9.0.0 Patch 46, 10.0.15, 10.1.9) to mitigate the flaw. Organizations are urged to update immediately, enforce input validation, and restrict embedded scripts. This vulnerability highlights risks in trusted workflows like calendar invites, emphasizing proactive patch management.
Read full article: Gbhackers

Aviatrix Cloud Controller Flaw Enables Remote Code Execution via Authentication Bypass
Mandiant discovered two critical vulnerabilities in Aviatrix Controller, a cloud management tool. The first flaw (CVE-2025-2171) allows attackers to bypass authentication by brute-forcing weak 6-digit password reset tokens with no lockout mechanism. This grants admin access, enabling exploitation of the second vulnerability (CVE-2025-2172), a command injection flaw in the controller’s Python back-end, leading to root-level remote code execution. Successful attacks could compromise entire cloud environments, deploy backdoors, or escalate privileges. Aviatrix patched the issues in January 2025, urging users to update immediately, restrict controller access, and reapply patches after upgrades. These flaws underscore risks in centralized cloud management systems.
Read full article: Gbhackers

OPPO Clone Phone Vulnerability Leaks Sensitive Data via Weak WiFi Hotspot
A high-severity vulnerability (CVE-2025-27387, CVSS 7.4) in OPPO’s Clone Phone app exposes sensitive user data via a weakly secured WiFi hotspot during device transfers. The app’s temporary hotspot uses a predictable password, enabling nearby attackers to intercept personal files like photos, contacts, and messages without user interaction. Exploitation requires proximity to the target’s WiFi network but no credentials. OPPO advises updating the app once patched and avoiding public use of the feature until then. Researchers note similar flaws in other Android manufacturers’ data transfer tools, emphasizing weak authentication risks. This highlights the need for stronger default security practices in device migration services to prevent widespread data leaks.
Read full article: Gbhackers

MongoDB Hit by Pre-Auth Denial of Service Vulnerability
MongoDB was impacted by a pre-authentication Denial of Service (DoS) vulnerability, disclosed on June 27, 2025, which could allow attackers to disrupt services without requiring prior authentication. The flaw, linked to JSON parsing and potential stack overflow issues, risks crashing database instances via specially crafted requests. This vulnerability affects systems running unpatched MongoDB versions, exposing them to DDoS attacks. Mitigation requires applying security updates to address the exploit vector. The report emphasizes the criticality of prompt patching to prevent exploitation. Further details on the vulnerability were restricted to verified supporters.
Read full article: Securityonline

Citrix bleeds again: This time a zero-day exploited – patch now
Citrix issued an emergency patch for a critical zero-day vulnerability (CVE-2025-6543) in NetScaler ADC and Gateway, rated 9.2 CVSS. This memory overflow flaw allows control flow disruption or denial of service on misconfigured appliances and was exploited in the wild. Affected versions include 14.1, 13.1, 13.1-FIPS, and end-of-life 12.1/13.0. A prior flaw (CVE-2025-5777), similar to 2023’s CitrixBleed, requires terminating active sessions postpatch to prevent session hijacking. Experts warn compromised devices may already host persistent backdoors, urging immediate remediation. Both vulnerabilities risk ransomware, espionage, and further exploitation if unaddressed.
Read full article: Theregister

In-Depth Expert CTI Analysis

VerSprite Weekly Threat Intelligence Newsletter 16
Recent cybercriminal arrests, including BreachForums administrators and REvil members, highlight global law enforcement efforts, though persistent threats like ransomware (e.g., Qilin, Inc. Ransom) continue disrupting healthcare, aviation, and critical infrastructure. Critical vulnerabilities in MOVEit, Mitsubishi HVAC, MongoDB, and Citrix NetScaler underscore systemic risks, with attackers exploiting outdated systems and AI-enhanced tactics like ClickFix social engineering. State-sponsored actors (China’s LapDogs, Iran’s APT42) leverage advanced espionage tools, while hacktivist groups escalate retaliatory attacks. Emerging AI-driven threats, including LLM-powered phishing and malware, amplify attack efficiency, demanding proactive patching, Zero-Trust models, and cross-sector collaboration to mitigate escalating cyber risks.

Proactive Defense and Strategic Foresight

Proactive defense demands continuous threat intelligence integration, leveraging insights from recent breaches (e.g., MOVEit, Citrix, Mitsubishi) to anticipate attack vectors. Strategic foresight requires hardening third-party ecosystems, as seen in supply chain compromises (Glasgow Council, UNFI) and IoT/OT vulnerabilities (Ruckus routers, HVAC systems). AI-driven threats (LLM abuse, ClickFix) and adaptive adversaries (Scattered Spider, APT42) necessitate anomaly detection and Zero-Trust frameworks. Organizations must prioritize patching cadence, secure software sourcing, and red team exercises to mitigate risks highlighted by recurring ransomware (McLaren, NHS) and DDoS campaigns. Collaboration, real-time threat sharing, and maturity models (e.g., FS-ISAC’s DDoS framework) are critical to preempting emerging TTPs and minimizing operational disruption.

Evolving Ransomware and Malware Tactics

Ransomware and malware tactics continue evolving with increased sophistication, leveraging AI-driven automation, supply chain compromises, and zero-day exploits. Recent incidents highlight attackers targeting critical infrastructure (e.g., healthcare, aviation) for maximum disruption, while APTs deploy novel backdoors like Beardshell. Cybercriminals exploit trusted platforms (Discord, Zoom) and IoT vulnerabilities to bypass defenses, while AI-generated phishing and dark web tools lower entry barriers. Ransomware groups increasingly pivoted data exfiltration and double extortion, as seen in repeat attacks on In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 19 healthcare providers. Despite law enforcement disruptions, adaptive tactics—such as hijacking third-party vendors and abusing unpatched systems have undertaken the need for proactive threat hunting, real-time anomaly detection, and rigorous patch management.

State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-state actors adopting criminal tactics like ransomware (e.g., Qilin’s NHS attack) while criminal groups leverage advanced tools (e.g., Chinese LapDogs’ ORB network). State-aligned groups (APT42, Scattered Spider) exploit criminal infrastructure, such as hijacked IoT devices and AI-driven phishing, blurring operational boundaries. Geopolitical agendas drive attacks like Iranian hacktivists targeting U.S. entities, while criminal forums (BreachForums) persist despite law enforcement actions. Critical vulnerabilities (Citrix Bleed, MOVEit) are weaponized by both cohorts, amplifying risks to healthcare, finance, and infrastructure. This symbiosis demands unified defenses against hybrid threats exploiting technical and human vulnerabilities.

Operational and Tactical Implications

The operational landscape demands heightened vigilance as law enforcement actions against cybercrime forums like BreachForums create temporary disruptions, likely prompting threat actors to regroup or rebrand. Tactically, organizations must prioritize patching critical vulnerabilities (e.g., Citrix Bleed, MOVEit) and securing third-party vendors, given escalating supply chain attacks impacting healthcare, retail, and critical infrastructure. Proactive measures, including AI-driven anomaly detection and Zero-Trust frameworks, are essential to counter advanced phishing, DDoS, and ransomware campaigns. The resurgence of REvil-linked actors and state-sponsored espionage (e.g., Chinese ORB networks, North Korean social engineering) underscores the need for realtime threat intelligence sharing and robust incident response protocols to mitigate operational downtime and data exfiltration risks.

Forward-Looking Recommendations

Enhance Third-Party Risk Management: Implement stringent vendor assessments and continuous monitoring to mitigate supply chain vulnerabilities, as seen in attacks on Glasgow City Council and Ahold Delhaize.
Prioritize Zero-Day and IoT Patching: Address critical vulnerabilities (e.g., Mitsubishi HVAC, Hunt DVRs) through immediate updates, network segmentation, and legacy system modernization to prevent exploitation.
Adopt AI-Driven Threat Detection: Counter AI-enhanced phishing and malware campaigns with advanced anomaly detection, autonomous response tools, and validated AI model sourcing to combat threats like FraudGPT.
Strengthen DDoS and Ransomware Defenses: Deploy frameworks like the DDoS Maturity Model, enforce offline backups, and conduct ransomware simulations to minimize operational disruption.
Expand Employee Training: Mitigate social engineering (e.g., ClickFix, fake Zoom lures) with regular phishing drills and verification protocols for unsolicited requests.
Enforce Zero-Trust Architectures: Limit lateral movement via strict access controls, MFA, and least-privilege policies, particularly for critical infrastructure and cloud management systems.
Accelerate Threat Intelligence Sharing: Foster cross-sector collaboration and real-time data exchange to preempt APT campaigns (e.g., Blind Eagle, Scattered Spider) and emerging TTPs.