VerSprite Weekly Threat Intelligence

Date Range: 30 June 2025 – 04 July 2025

Issue: 20th Edition

Reported Period Victimology

Security Triumphs of the Week

This week saw significant global cybersecurity enforcement: U.S. agencies dismantled a $14.6 billion healthcare fraud network and sanctioned Russia-linked Aeza Group for enabling ransomware, while Europol disrupted a €460 million crypto fraud. Spanish authorities arrested 21 in a €10 million investment scam, and the DOJ countered North Korean IT worker schemes funding weapons programs. Hunters International ransomware group disbanded, releasing decryption keys, and a London smishing operation was halted. These actions highlight intensified cross-border collaboration, advanced tech integration, and evolving criminal tactics amid rising financial and cyber threats.

• Feds Identify $14.6 Billion in Healthcare Fraud in Takedown
  The U.S. Department of Justice, alongside HHS and other agencies, identified $14.6 billion in healthcare fraud in 2025, the largest such enforcement action to date. The takedown involved criminal charges against 324 defendants, including medical professionals, for schemes like fraudulent billing for COVID-19 testing, telemedicine, and durable medical equipment. A new multi-agency “Healthcare Fraud Data Fusion Center” will leverage AI, cloud computing, and analytics to enhance fraud detection and investigations. The initiative builds on prior efforts like the HEAT Task Force and aligns with federal directives to eliminate data silos. Notably, a $894 million COVID-19 testing fraud case led to HIPAA violation charges against a physician and co-conspirators. Authorities aim to accelerate enforcement through improved inter-agency collaboration and advanced technologies.
  Read full article: Bankinfosec

• U.S. Treasury Sanctions Bulletproof Hosting Firm Fueling Ransomware Campaigns
  The U.S. Treasury sanctioned Russia-based Aeza Group, a bulletproof hosting provider, for enabling global cybercrime, including ransomware attacks by groups like BianLian and Meduza, which targeted U.S. defense contractors and tech firms. The firm also supported BlackSprut, a darknet marketplace trafficking illicit drugs like fentanyl. Sanctions cover Aeza’s UK and Russian subsidiaries, four leaders, and a cryptocurrency wallet processing over $350,000 in illicit transactions. This follows prior actions against similar entities, emphasizing international efforts with the UK to disrupt cybercrime infrastructure. Asset freezes and transaction bans are now enforced under U.S. jurisdiction.
  Read full article: Gbhackers

• Europol Dismantles Massive Crypto Investment Scam Targeting 5000+ victims Worldwide
  Europol and international law enforcement dismantled a major cryptocurrency investment fraud network, defrauding over 5,000 victims globally and laundering €460 million. Operation BORRELLI, led by Spain’s Guardia Civil with support from Estonia, France, the U.S., and Europol, resulted in five arrests in Spain on June 25, 2025. The group used a Hong Kongbased corporate structure, payment gateways, and crypto exchanges to obscure illicit funds. Europol provided critical coordination and digital forensic expertise since 2023. The investigation remains ongoing, highlighting the sophistication of online fraud, which Europol warns is an escalating “epidemic” fueled by AI-driven tactics. This case underscores the need for global collaboration against increasingly complex financial crimes.
  Read full article: Gbhackers

• U.S. DOJ Cracks Down on North Korean Remote IT Workforce Operating Illegally
  The U.S. DOJ disrupted a North Korean scheme using remote IT workers to fraudulently obtain jobs at U.S. companies, including Fortune 500 firms, to fund weapons programs. Actions included arrests, seizing 29 financial accounts, 21 websites, and searching 29 “laptop farms” across 16 states. North Korean operatives, aided by accomplices globally, used stolen/ fake identities to access sensitive data and steal funds, including $900,000 in cryptocurrency. U.S.-based facilitators set up shell companies and infrastructure, receiving over $696,000. Indictments targeted individuals like Zhenxing Wang and North Korean nationals for wire fraud and money laundering. The DOJ warns this is part of a broader campaign to evade sanctions and urges companies to enhance vigilance against such threats.
  Read full article: Gbhackers

• Police Dismantle Investment Fraud Ring Stealing €10 Million
  Spanish authorities dismantled a €10 million investment fraud ring, arresting 21 suspects in coordinated raids across Barcelona, Madrid, Mallorca, and Alicante. The group operated since 2022, using fake advisors, manipulated websites, and social media ads mimicking legitimate brands to lure victims into fraudulent cryptocurrency, forex, and stock investments. Victims were shown fake profits and charged bogus fees to withdraw funds, which were later blocked. The scheme utilized temporary call centers with panic buttons to evade detection, a rare tactic in Spain. Police seized luxury vehicles, cash, and cryptocurrency. This follows recent Spanish crackdowns on similar scams, including a €460 million crypto fraud and AI-driven investment schemes.
  Read full article: Bleepingcomputer

• Ransomware Crew Hunters International shuts down, hands out keys to victims
  Hunters International, a ransomware group, announced its shutdown and released decryption keys to victims as a “gesture of goodwill,” deleting all data from its dark web leak site. The group cited increasing risks, legal pressures, and ransomware’s classification as terrorism as factors, aligning with its April remarks on the model’s declining viability. Researchers suggest the group is likely rebranded as World Leaks, shifting to extortion-only attacks without encryption. Hunters were known for high-profile breaches, including Tata Technologies and a US plastic surgery clinic, leaking sensitive data. While offering decryption tools, the group’s exit likely reflects strategic adaptation rather than genuine remorse, continuing malicious activities under a new identity.
  Read full article: Theregister

• Chinese Student Charged in Mass Smishing Campaign to Steal Victims’ Personal Information
  Ruichen Xiong, a Chinese student, was sentenced to over a year in prison for operating a mass smishing campaign in London using an SMS Blaster device from his car. The rogue equipment mimicked mobile networks to send fraudulent texts impersonating trusted entities, directing victims to fake sites harvesting personal and financial data. The Dedicated Card and Payment Crime Unit (DCPCU) led the investigation, collaborating with telecom providers, the NCSC, and Ofcom. Over 168 million scam texts were blocked in two years, alongside arrests of seven others and seizure of additional SMS Blasters. Authorities urged vigilance, advising the public to report suspicious texts to 7726 and follow anti-fraud guidelines like the Take Five campaign. The case highlights the need for cross-sector cooperation and public awareness to combat evolving cyber threats.
  Read full article: Gbhackers

• Hacker Pleads Guilty to Breaching Company Networks to Pitch His Own Services
  Nicholas Michael Kloster, a Kansas man, pleaded guilty to hacking a health club, a nonprofit, and his former employer to promote his cybersecurity services. He breached networks, manipulated systems to reduce his gym membership fee to $1, stole sensitive data, and installed unauthorized VPNs. Kloster contacted victims to claim responsibility for breaches and offer remediation services. He also stole credit card data from his former employer to purchase hacking tools. The breaches caused significant financial losses for the targeted organizations. Kloster faces up to five years in prison, fines, and restitution, with sentencing pending.
  Read full article: Techradar

Security Setbacks of the Week

This week’s cybersecurity landscape saw critical infrastructure and global institutions under siege, with Norway’s dam breach and the ICC cyberattack highlighting vulnerabilities in essential systems and justice mechanisms. Ransomware surged 213% in Q1 2025, targeting industrial and tech sectors via zero-day exploits, while education faced systemic risks as Columbia University exposed 2.5 million records. Third-party breaches, including Switzerland’s Radix and Ahold Delhaize, underscored supply chain weaknesses, and statealigned actors like LapDogs exploited IoT devices for espionage. Hybrid threats emerged as groups like Keymous+ blended hacktivism with profit, emphasizing the urgent need for enhanced defenses, cross-sector collaboration, and proactive resilience against evolving attack vectors.

• Hackers Breach Norwegian Dam, Triggering Full Valve Opening
  A ransomware attack on UK NHS provider Synnovis, attributed to Qilin, caused critical service disruptions linked to a patient’s death. Chinese group Salt Typhoon targeted Canadian telecoms via Cisco vulnerabilities, while Russian APT28 deployed novel backdoors (Beardshell, Slimagent) in Ukraine through Signal. SAP and Citrix patched critical flaws exposing sensitive data, including Citrix Bleed 2. Suspected Chinese actors used Microsoft ClickOnce to attack energy sectors with RunnerBeacon malware. Brother printers face an unfixable authentication bypass flaw (CVE-2024-51978) affecting 689 models. Ransomware hit US Dairy Farmers of America, disrupting operations, while Iranian hackers disrupted Albanian public services. EU experts urged infrastructure takedowns against Chinese and North Korean cyberthreats.
  Read full article: Gbhackers

• International Criminal Court Hacked via Sophisticated Cyber Campaign
  The International Criminal Court (ICC) experienced a sophisticated cyberattack last week, its second major breach in recent years. Swift detection and containment were achieved through the ICC’s cybersecurity systems, with a full impact analysis ongoing. While details on perpetrators remain undisclosed, the attack coincided with a Hague-based international summit, raising concerns about motives. The ICC, currently handling high-profile war crime cases, previously faced a 2023 cyber-espionage incident that prompted enhanced security measures. The Court warned of potential disinformation campaigns and urged member states to support its cybersecurity efforts. This incident underscores growing threats to global justice institutions.
  Read full article: Gbhackers

• Cryptohack Roundup: Inside the $100M Nobitex Breach
  This week’s cybersecurity incidents in digital assets include Iran’s Nobitex exchange suffering a $100 million breach and source code leak, revealing sanctions evasion tactics and privacy tools to bypass blockchain analytics. Europol and Spanish police dismantled a €460 million crypto fraud network arresting five suspects. Resupply stablecoin lost $9.5 million due to an exploit manipulating exchange rates. A Pennsylvania man received an eight-year sentence for a $40 million crypto Ponzi scheme. U.S. prosecutors charged North Korean nationals with stealing $900,000 in crypto via employment fraud and laundering funds through shell accounts.
  Read full article: Bankinfosec

• Columbia University Hack Exposes Higher Ed Cyber Gaps
  A cyberattack on Columbia University exposed data on 2.5 million student applications, allegedly orchestrated by a politically motivated “hacktivist” displaying President Trump’s image during the breach. The incident underscores systemic cybersecurity challenges in higher education, including underfunded defenses, open network environments, and rising nation-state threats. Experts warn budget constraints and reduce federal support exacerbate vulnerabilities, leaving institutions ill-prepared against sophisticated attacks. Columbia’s breach coincides with heightened geopolitical tensions, including Iranian cyber retaliation risks. The university, aided by CrowdStrike, is assessing the breach’s scope, with notifications potentially taking months. Research highlights a surge in attacks on education sectors, emphasizing long-term risks of underinvesting in cyber resilience.
  Read full article: Bankinfosec

• Ransomware Attacks on Organizations Surge 213% in Q1 of 2025
  Ransomware attacks surged 213% in Q1 2025, with 2,314 victims across 74 breach sites, up from 1,086 in Q1 2024. New variants like Cl0p, RansomHub, and Akira overtook LockBit, driven by zero-day exploits (e.g., Cl0p’s 1400% spike via Cleo MFT vulnerabilities) and rebranding. Industrials, consumer cyclicals, and technology sectors were most targeted, with North America hardest hit. Attackers leveraged phishing, software vulnerabilities (VMware ESXi, Microsoft Exchange), and supply-chain breaches. Ransomware-as-a-service models, double-extortion tactics, and emerging groups like VanHelsing persist, while state-sponsored APTs may increasingly target critical infrastructure. The threat landscape is expected to worsen with affiliate migrations and rebranding in 2025.
  Read full article: Gbhackers

• Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  The Keymous+ hacker group has claimed responsibility for over 700 global DDoS attacks in 2025, targeting government, telecom, financial, educational, and industrial entities across Europe, North Africa, the Middle East, and Asia. Their motives remain unclear, lacking a consistent ideological narrative despite occasional hacktivist slogans. The group collaborates with entities like NoName057(16) and AnonSec, while operating a dual-team structure for breaches and DDoS campaigns. Evidence links them to EliteStress, a DDoS-for-hire service, suggesting commercial motives. Keymous+ combines hacktivism with profit-driven activities, leveraging marketing tactics and alliances to amplify their reach, reflecting a hybrid threat in the evolving cyber landscape.
  Read full article: Gbhackers

• China-backed “LapDogs” hackers hijacked hundreds of devices in an outlandish intel campaign aimed at US and Asian targets
  A China-linked cyber espionage group, LapDogs, has compromised over 1,000 devices in the U.S., Japan, South Korea, Taiwan, and Hong Kong since September 2023. Targeting sectors like real estate, media, and IT, the campaign hijacks SOHO routers and IoT devices to create stealthy Operational Relay Boxes (ORBs) for persistent surveillance. The attackers deploy a custom backdoor, ShortLeash, which grants root access and disguises malicious traffic as legitimate using forged TLS certificates mimicking the Los Angeles Police Department. This tactic evades traditional detection tools, enabling months-long undetected access. SecurityScorecard highlights the strategic shift toward exploiting low-visibility devices, complicating threat detection via conventional indicators. The operation underscores vulnerabilities in decentralized networks and calls for proactive security measures to counter persistent espionage risks.
  Read full article: Techradar

• Swiss Government Confirms Radix Ransomware Attack Leaked Federal Data
  The Swiss government confirmed a ransomware attack on Radix, a non-profit health foundation serving federal offices, led to 1.3 terabytes of sensitive federal data being leaked by the Sarcoma ransomware group. The breach, involving financial records, contracts, and private correspondence, occurred after Radix refused ransom demands. While federal IT systems were not directly compromised, Radix’s independent operations allowed attackers to access and exfiltrate data. Authorities, including the National Cyber Security Centre, are assessing the impact and coordinating with affected federal units. Radix notified individuals at risk of exposed personal data and warned of potential phishing attempts. This marks Switzerland’s second major third-party data exposure recently, underscoring vulnerabilities in supply chain security. Swiss officials urge enhanced cybersecurity measures for organizations handling government data.
  Read full article: Gbhackers

• Ahold Delhaize Data Breach Exposes Personal Information of 2.2 million Shoppers
  Ahold Delhaize USA Services confirmed a data breach impacting 2.2 million U.S. shoppers, including 95,463 Maine residents, due to an external hacking incident on November 5, 2024. The breach exposed names and personal identifiers, though financial data involvement remains unspecified. Notifications began June 26, 2025, with the company offering 24 months of free Experian credit monitoring and identity protection. Ahold Delhaize emphasized collaboration with law enforcement and cybersecurity experts to investigate and bolster security. Affected customers are advised to monitor accounts and consider fraud alerts. The incident underscores persistent retail sector vulnerabilities amid rising cyber threats, likely prompting stricter regulatory scrutiny and data protection demands.
  Read full article: Gbhackers

• CIEE Data Breach Exposes 248K Brazilian Records: Medical Reports, CVs, & Videos Leaked from Google Cloud
  A misconfigured Google Cloud Storage bucket at CIEE, a Brazilian internship organization, exposed 248,725 sensitive records, including medical reports, CVs, videos, and taxpayer IDs. The leak, attributed to threat actor “888,” involved 28 GB of data from unsecured files, validated by Resecurity. The actor, known for targeting major corporations, monetizes authentic leaks via dark web forums. Exposed biometric and medical data poses long-term risks, as such information cannot be easily reset. The breach underscores widespread cloud misconfiguration risks, emphasizing the need for improved access controls and proactive threat monitoring. Resecurity urged organizations to prioritize vulnerability assessments and threat intelligence.
  Read full article: Securityonline

• Venture capital giant IdeaLab confirms breach, says private data was stolen in attack
  The Cyber Monitoring Centre (CMC) has classified the 2025 cyberattacks on UK retailers Marks & Spencer (M&S) and Co-op as a single coordinated event by the threat actor Scattered Spider, citing shared tactics, timing, and responsibility claims. The combined financial impact is estimated to be between £270-440 million, driven primarily by business disruption, data loss, and recovery costs. Both firms faced IT system takedowns, with M&S projecting £300 million in lost profits. Stolen data included customer addresses, phone numbers, and birthdates, but excluded payment details. The CMC excluded Harrods’ concurrent attack due to insufficient information. The incident highlights systemic risks to supply chains and partners beyond the direct targets.
  Read full article: Techradar

• Ingram Micro suffers global outage as internal systems are inaccessible
  Ingram Micro, a major global IT distributor, faced a widespread outage starting Thursday, rendering its websites and internal systems inaccessible to customers and employees. The company, which reported $48 billion in revenue in 2024, has not disclosed the cause, fueling speculation about a potential cyberattack, including ransomware. Customers and staff reported limited communication, with some claiming internal references to a security incident. The outage triggered error messages via Akamai or maintenance notices on its site. While unconfirmed, prolonged downtime and system shutdowns align with breach indicators. BleepingComputer reached out to Ingram Micro but received no official response.
  Read full article: Bleepingcomputer

• Medical Device Maker Surmodics Recovering from Attack
  Surmodics, a Minnesota-based medical device manufacturer, is recovering from a June 2025 cyberattack that disrupted IT systems and data access, signaling potential ransomware involvement. The company restored critical operations using alternative methods to maintain product shipments and expects cyber insurance to cover most costs. Similar incidents affected other medical device firms, including Masimo, which faced production disruptions but anticipated minimal financial impact, and Artivion, which experienced data theft and encryption in late 2024. These attacks highlight rising cybersecurity risks in the healthcare sector, with companies increasingly relying on insurance and recovery plans to mitigate operational and financial fallout.
  Read full article: Bankinfosec

The New Emerging Threats

Emerging cyber threats highlight intensified state-aligned hacktivism, with pro-Russian groups targeting NATO and Ukrainian allies via DDoS and data theft, while Iranian-linked actors exploit Middle East tensions through ICS sabotage. North Korean operatives leverage AI and social engineering to infiltrate global tech sectors, and ransomware ecosystems evolve with RaaS models like DragonForce and experimental variants like DEVMAN. Advanced malware tools such as BUBBAS GATE and macOS-targeting NimDoor underscore adversaries’ growing technical sophistication, while AI-driven phishing exploits and criminal-state collaboration blur attribution lines. These trends demand enhanced defenses, behavioral detection, and cross-sector coordination to mitigate risks to critical infrastructure.

• Pro-Russian Hackers Forge New Alliances for High-Profile Cyberattacks
  Pro-Russian hacktivist groups have intensified cyber campaigns amid geopolitical tensions, leveraging alliances and evolving tools to target NATO countries and Ukrainian allies. Groups like NoName057(16), Dark Storm Team, and ServerKillers executed coordinated DDoS attacks, such as #OpLithuania, following political criticisms. Emerging factions like IT Army of Russia and TwoNet employ SQL injections, DDoS, and insider data theft, collaborating with established groups to amplify impact. Alleged state ties persist, with U.S. sanctions and research linking groups like Cyber Army of Russia Reborn to Russian intelligence. Attacks expanded to Israeli targets, reflecting Iran-Russia alignment. Escalating hacktivism underscores risks to global infrastructure, necessitating enhanced defenses and international coordination.
  Read full article: Gbhackers

• North Korean IT Workers Employ New Tactics to Infiltrate Global Organizations
  North Korean IT workers are using advanced AI tools and voice-changing software to infiltrate global organizations, creating fraudulent identities and evading detection. Since 2020, these operatives, often based in China and Russia, have targeted tech roles to generate revenue for the DPRK and steal sensitive data. Tactics include AI-enhanced forged documents, fake professional personas on platforms like LinkedIn, and VPNs to mask locations. Facilitators assist with logistics, payment laundering, and managing “laptop farms.” Microsoft has disrupted 3,000 accounts and employs AI to detect anomalies, while U.S. indictments reveal millions in losses. The threat extends to intellectual property theft and extortion, urging stricter vetting and monitoring of digital footprints.
  Read full article: Gbhackers

• Chinese Hackers Turn Unpatched Routers into ORB Spy Network
  Chinese nation-state hackers have built a covert ORB (operational relay box) spy network by hijacking unpatched Linux-based routers and IoT devices, primarily targeting Ruckus Wireless and Buffalo Technology hardware in the U.S., Japan, South Korea, Taiwan, and Hong Kong. Dubbed “LapDogs,” the network leverages a custom backdoor called ShortLeash, which exploits known vulnerabilities (CVE-2015-1548, CVE-2017-17663) in outdated devices to establish persistence, mimic legitimate services, and relay stolen data. Forensic evidence, including Mandarin-language developer notes and infrastructure patterns, strongly links the activity to Chinese cyberespionage groups. The ORB network anonymizes attacks, evades detection, and aligns with tactics of groups like Volt Typhoon. Security researchers attribute the campaign to centralized Chinese threat actors coordinating localized tasking and infrastructure for espionage.
  Read full article: Bankinfosec

• Hacktivist Group Launches Attacks on 20+ Critical Sectors Amid Iran–Israel Conflict
  A surge in cyberattacks targeting over 20 critical sectors in Israel and allied nations has been linked to escalating Iran-Israel tensions, with over 80 hacktivist groups involved. Pro-Iranian and pro-Palestinian groups attacked government, military, energy, financial, and industrial systems, using tactics ranging from DDoS to sophisticated ICS/OT sabotage. Groups like GhostSec and Mysterious Team Bangladesh claimed high-impact operations, while suspected state-linked “faketivist” actors employed custom tools like wipers and AI-assisted exploits. The attacks blend ideological motives with potential state sponsorship, complicating attribution. Coordinated efforts among groups and data leaks aim to destabilize civilian and military infrastructure. Analysts warn of expanded targeting of allied nations and retaliatory cyber campaigns if hostilities persist.
  Read full article: Gbhackers

• Cybercriminals Exploit LLM Models to Enhance Hacking Activities
  Cybercriminals are exploiting large language models (LLMs) to enhance hacking, using uncensored models like OnionGPT and custom tools like FraudGPT to generate phishing content, malware, and offensive security tools. Malicious actors bypass ethical safeguards via jailbreaking techniques (e.g., DAN prompts) or manipulate legitimate LLMs by poisoning data sources. Vulnerabilities in platforms like Hugging Face allow backdoored models to infect systems. While these AI tools amplify attack efficiency and scale, many dark web offerings are scams. The evolving misuse of LLMs underscores the need for vigilance in sourcing and securing AI systems to counter emerging cyber threats.
  Read full article: Gbhackers

• Scattered Spider Enhances Tactics to Exploit Legitimate Tools for Evasion and Persistence
  Scattered Spider, a financially motivated cybercriminal group active since 2022, has evolved its tactics to exploit legitimate tools like TeamViewer, AWS Systems Manager, and Teleport for stealthy persistence and evasion. Known for social engineering, including IT help desk impersonation and MFA fatigue attacks, the group targets high-privilege accounts to bypass traditional security measures. They leverage cloud and on-premises environments, using tools like Mimikatz for credential theft and BYOVD attacks to disable endpoint defenses. Recent breaches highlight their collaboration with ransomware groups like ALPHV/BlackCat, employing double-extortion schemes. Defenses require strengthened identity security, phishing-resistant MFA, strict cloud controls, and monitoring of remote tools and network anomalies to counter their adaptive, low-malware approach.
  Read full article: Gbhackers

• New ‘BUBBAS GATE’ Malware Advertised on Telegram Boasts SmartScreen and AV/ EDR Bypass
  A new malware loader named “BUBBAS GATE” emerged on underground forums and Telegram channels, promoted for its advanced evasion capabilities against Microsoft SmartScreen and AV/EDR solutions. Advertised since June 22, 2025, it employs indirect syscalls, modified VEH, PEB walking, and custom encryption to bypass detection. The loader supports multiple architectures and programming frameworks, with features like persistence, anti-VM checks, stealth mechanisms, and privilege escalation. Priced at $200 per build, it includes a 15-day “Windows Defender warranty.” However, its effectiveness remains unverified, with no leaked samples or independent validation. BUBBAS GATE highlights the escalating arms race between malware developers and security defenses, urging organizations to monitor for emerging threats and patch vulnerabilities.
  Read full article: Gbhackers

• Gamaredon Unleashes Six New Malware Tools for Stealth, Persistence, and Lateral Movement
  Gamaredon, a Russia-aligned APT group linked to the FSB, intensified cyberespionage against Ukrainian institutions in 2024, abandoning NATO targets. Spearphishing campaigns surged, using malicious archives and XHTML files to deploy VBScript downloaders, with October experiments leveraging Cloudflare-hosted domains for evasion. The group introduced six new PowerShell/VBScript-based tools, including PteroTickle for lateral movement and PteroGraphin for encrypted payload delivery via Telegraph API. Existing tools like PteroPSDoor were upgraded with advanced obfuscation and WMI event subscriptions. Infrastructure shifted to Cloudflare tunnels and third-party services (Telegram, Codeberg) to bypass defenses. Gamaredon’s evolving tactics underscore its adaptability as a persistent cyberespionage threat amid ongoing Russia-Ukraine tensions.
  Read full article: Gbhackers

• DragonForce Ransomware Equips Affiliates with Modular Toolkit for Crafting Custom Payloads
  DragonForce Ransomware, active since December 2023, has evolved into a major Ransomware-as-a-Service (RaaS) threat, targeting high-value industries globally. Its modular toolkit enables affiliates to create customized payloads with adaptive encryption, stealth techniques to bypass EDR systems, and tools for lateral movement. The group employs double extortion, encrypting data and threatening leaks via its “DragonLeaks” portal. Initial access methods include phishing, Log4Shell exploits, and compromised credentials, followed by tools like Cobalt Strike and Mimikatz for post-exploitation. DragonForce leverages leaked LockBit and Conti ransomware code, enhancing its technical sophistication. Recent rivalries with groups like RansomHub highlight escalating tensions in the RaaS ecosystem. Organizations are urged to bolster defenses against its evolving tactics.
  Read full article: Gbhackers

• New DEVMAN Ransomware by DragonForce Targets Windows 10 and 11 Users
  A new ransomware variant, DEVMAN, linked to the DragonForce and Conti families, targets Windows 10 and 11 systems. It encrypts files with the .DEVMAN extension, uses SMB for lateral movement, and displays ransom notes via desktop wallpapers (successful on Windows 10 but not Windows 11). Critical flaws include self-encrypting ransom notes and deterministic file renaming, suggesting it is experimental. DEVMAN operates offline without C2 communication, relying on local SMB probing, and uses Conti-derived tactics like mutexes and Restart Manager. Despite inconsistencies, it highlights evolving RaaS trends, with a dedicated leak site claiming ~40 victims in Asia and Africa. Security tools like sandbox analysis aid in detecting its behaviors and IOCs.
  Read full article: Gbhackers

• TA829 Hackers Use New TTPs and Enhanced RomCom Backdoor to Evade Detection
  The cybercriminal group TA829 (aka RomCom) has intensified operations in 2025, deploying advanced tactics like automated infrastructure and an upgraded RomCom backdoor (SingleCamper) to evade detection. Their phishing campaigns use compromised routers and spoofed cloud storage links, while overlapping tactics with another cluster, UNK_GreenSec, suggest potential shared infrastructure or testing of tools like TransferLoader. TA829’s updated tools, including Rust-based loaders and encrypted payloads, target defense sectors and blend cybercrime with espionage, hinting at possible state-aligned resource access. The group’s evolving strategies highlight the convergence of criminal and state-sponsored motives in the threat landscape.
  Read full article: Gbhackers

• New macOS Malware Uses Process Injection and Remote Access to Steal Keychain Credentials
  A North Korean-aligned threat group is targeting Web3 and cryptocurrency firms with a new macOS malware family called NimDoor, which combines process injection, encrypted communications, and multi-language payloads to steal sensitive data. The attack chain begins with social engineering via Telegram, tricking victims into executing a fake Zoom SDK update script. Malicious AppleScripts and binaries written in Nim and C++ enable credential theft from Keychain, browsers, and Telegram, while using WebSocket-over-TLS (wss) for stealthy C2 communication. Persistence is achieved through signal-handler hijacking (SIGINT/SIGTERM) and deceptive binaries masquerading as legitimate processes. The campaign highlights DPRK actors’ evolving use of cross-platform languages like Nim to bypass traditional defenses, underscoring the need for behavioral detection in macOS environments.
  Read full article: Gbhackers

• Experts warn this top GenAI tool is being used to build phishing websites
  Okta researchers warn that the GenAI tool v0.dev, developed by Vercel, is being exploited by threat actors to create convincing phishing websites mimicking legitimate sign-in pages. These sites, hosted on Vercel’s infrastructure, leverage AI-generated logos and designs to evade detection, targeting services like Microsoft 365 and cryptocurrency platforms. The tool’s natural language interface lowers technical barriers, enabling even inexperienced attackers to build fraudulent sites. Despite mitigation efforts, AI’s widespread use complicates prevention. Okta advises organizations to enforce multi-factor authentication tied to original domains and update cybersecurity training to address AI-driven phishing risks. Additionally, GenAI tools are increasingly citing fake URLs, amplifying credential theft threats.
  Read full article: Techradar

Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across browsers, enterprise systems, IoT devices, and development tools dominated the threat landscape, with multiple zero-day exploits and remote code execution (RCE) flaws actively weaponized. High-severity issues in Google Chrome, Apache services, Cisco Unified CM, and HIKVISION platforms exposed organizations to espionage, data theft, and network compromise, while end-of-life D-Link routers and PHP vulnerabilities amplified risks for unpatched systems. Threat actors, including Chineselinked groups, exploited these weaknesses to deploy rootkits, hijack traffic, and infiltrate critical sectors. Notably, a flaw in Cl0p ransomware’s own tooling revealed vulnerabilities within criminal ecosystems. Urgent patching, network segmentation, and strict access controls remain critical as adversaries increasingly target supply chains and trusted software ecosystems.

• Chrome 0-Day Flaw Exploited in the Wild to Execute Arbitrary Code
  Google issued an urgent update for Chrome to address a critical zero-day vulnerability (CVE-2025-6554), a type of confusion flaw in the V8 JavaScript engine exploited in attacks. The flaw allows attackers to execute arbitrary code via malicious web pages, risking system compromise. Patches (versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac, and 138.0.7204.96 for Linux) are being rolled out, with technical details withheld to prevent further exploitation. Google urges immediate updates, as the bug is actively leveraged by threat actors for espionage, malware delivery, or data theft. This highlights the ongoing targeting of browsers by advanced adversaries.
  Read full article: Gbhackers

• Critical D-Link Router Flaws Allow Remote Code Execution by Attackers
  Critical vulnerabilities in D-Link DIR-816 routers (non-US) expose users to remote code execution and network compromise. Six flaws, including four stack-based buffer overflows and two OS command injection vulnerabilities, allow unauthenticated attackers to take full control of devices, intercept traffic, deploy malware, or breach connected networks. The affected routers, now End of Life, will receive no security updates. D-Link urges users to replace the DIR-816 immediately, transition to supported models, and apply strong security measures if temporary use is unavoidable. Continued use poses severe risks, emphasizing the need for prompt device retirement.
  Read full article: Gbhackers

• Apache Tomcat and Camel Vulnerabilities Actively Targeted in Cyberattacks
  A critical vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP) enables unauthenticated attackers to execute arbitrary code via command injection in the t_total parameter, bypassing authentication. Affected versions include 0.9.8.1188 and 0.9.8.1204. A public PoC exploit demonstrates remote shell access by exploiting the file manager endpoint, requiring only a valid non-root username. CWP users must urgently update to patched versions, apply security controls, and monitor for attacks. This follows prior CWP RCE flaws, emphasizing recurring risks in web management panels. Immediate mitigation is critical to prevent server compromise.
  Read full article: Gbhackers

• Critical HIKVISION applyCT Vulnerability Exposes Devices to Code Execution Attacks
  A critical vulnerability (CVE-2025-34067, CVSS 10.0) in HIKVISION’s applyCT component allows unauthenticated remote code execution via malicious JSON payloads targeting the /bic/ ssoService/v1/applyCT endpoint. Exploiting a vulnerable Fastjson library, attackers can trigger arbitrary Java class loading through LDAP connections, bypassing authentication. Affected HikCentral platforms, widely used in government, commercial, and industrial sectors, risk data breaches, system manipulation, and network compromise. Active exploitation is reported, requiring immediate network segmentation, endpoint monitoring, and vendor contact for patches. Mitigation includes restricting access to the vulnerable endpoint and monitoring LDAP traffic.
  Read full article: Cybernews

• Cisco Unified CM Vulnerability Lets Remote Attacker Gain Root Access
  A critical vulnerability (CVE-2025-20309, CVSS 10.0) in Cisco Unified Communications Manager (Unified CM) and Session Management Edition (SME) allows unauthenticated remote attackers to gain root access via static SSH credentials mistakenly included in production. These hardcoded credentials, reserved for development, cannot be modified or removed, leaving affected systems vulnerable to full compromise. Impacted versions include specific Engineering Special (ES) releases 15.0.1.13010-1 to 15.0.1.13017-1. Cisco advises immediate patching to 15SU3 or applying the CSCwp27755 patch, auditing logs for unauthorized root SSH sessions, and disabling remote access if updates are delayed. No active exploitation has been reported, but the flaw poses severe supply-chain risks.
  Read full article: Gbhackers

• Wing FTP Server Vulnerability Allows Full Server Takeover by Attackers
  A critical vulnerability (CVE-2025-47812) in Wing FTP Server (versions ≤7.4.3) allows unauthenticated attackers to execute arbitrary code via NULL byte injection in the username parameter of the /loginok.html endpoint. Exploiting this flaw grants full server control due to the service running with high privileges by default. The vulnerability, rated CVSSv4 10.0, enables trivial RCE through crafted HTTP requests, particularly if anonymous access is permitted. Patched in version 7.4.4, immediate updates are critical. Organizations should also audit logs, restrict anonymous access, and monitor for exploitation attempts. The disclosure underscores the risks of unpatched services and the need for proactive vulnerability management.
  Read full article: Gbhackers

• Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability
  A high-severity vulnerability (GCVE-1-2025-0002, CVSS 8.9) was discovered in the Pythonbased data-exfiltration tool used by the Cl0p ransomware group, exposing their infrastructure to remote command execution (RCE) via improper input validation. The flaw allows attackers to execute arbitrary commands by manipulating filenames during data exfiltration, potentially enabling rival threat actors to disrupt Cl0p’s operations or steal their data. CIRCL disclosed the issue, noting Cl0p is unlikely to patch it, leaving their ransomware-as-a-service infrastructure vulnerable. The tool was central to Cl0p’s 2023–2024 MOVEit campaigns, which exploited zero-days for mass data theft. This marks a rare case where cybercriminals’ own tools expose them to risks, they typically impose on victims, creating opportunities for internal disruption within criminal ecosystems.
  Read full article: Gbhackers

• Chinese Houken Group Exploits Ivanti CSA Zero-Days to Install Linux Rootkits
  The Chinese-linked threat group Houken exploited Ivanti CSA zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) to infiltrate French sectors, including government, defense, and finance, between September and November 2024. They deployed a novel Linux rootkit (sysinitd) to hijack TCP traffic and execute remote commands with root access, indicating high-value targeting. ANSSI linked Houken to UNC5174, a Chinese intrusion set, noting their use of Chinese-developed tools, VPNs, and infrastructure aligned with China Standard Time. The group acted as an initial access broker, likely reselling access to state-aligned actors, while also engaging in cryptomining and data theft for profit. Their operations highlight a blend of espionage and financial motives, urging global organizations to secure internet-facing devices.
  Read full article: Gbhackers

• OPPO Clone Phone Vulnerability Leaks Sensitive Data via Weak WiFi Hotspot
  A high-severity vulnerability (CVE-2025-27387, CVSS 7.4) in OPPO’s Clone Phone app exposes sensitive user data via a weakly secured WiFi hotspot during device transfers. The app’s temporary hotspot uses a predictable password, enabling nearby attackers to intercept personal files like photos, contacts, and messages without user interaction. Exploitation requires proximity to the target’s WiFi network but no credentials. OPPO advises updating the app once patched and avoiding public use of the feature until then. Researchers note similar flaws in other Android manufacturers’ data transfer tools, emphasizing weak authentication risks. This highlights the need for stronger default security practices in device migration services to prevent widespread data leaks.
  Read full article: Gbhackers

• Critical Vulnerability in Microsens Devices Exposes Systems to Hackers
  Critical vulnerabilities in MICROSENS NMP Web+ (versions ≤3.2.5) expose industrial systems to remote exploitation. Three flaws (CVE-2025-49151, 49152, 49153) include hard-coded secrets enabling unauthorized access, non-expiring sessions for persistent attacks, and path traversal allowing code execution. Exploitable without authentication, these low-complexity flaws can be chained for full system control, posing severe risks to critical manufacturing. MICROSENS patched the issues in version 3.3.0; CISA urges immediate updates, network segmentation, and secure remote access. Mitigations include firewall isolation, VPN use, and monitoring for suspicious activity. No public exploits are confirmed, but risks remain high for unpatched systems.
  Read full article: Gbhackers

• IDE Extensions Like VSCode Allow Attackers to Bypass Trust Checks and Deliver Malware to Developer Systems
  OX Research uncovered critical security flaws in popular IDEs like VSCode, Visual Studio, IntelliJ IDEA, and Cursor, enabling attackers to bypass verification checks and distribute malicious extensions. By manipulating network requests and file values, researchers demonstrated how harmful extensions could appear “verified” (e.g., via Microsoft’s blue checkmark) while executing arbitrary code, such as unauthorized command execution. These vulnerabilities extend across platforms, exploiting weak validation processes to maintain trusted status despite malicious payloads. Attackers could distribute tainted extensions via platforms like GitHub, leveraging developer trust in community-shared tools. The findings highlight systemic risks in IDE extension ecosystems, urging vendors to strengthen validation and code scrutiny to prevent malware infiltration.
  Read full article: Gbhackers

• YONO SBI Banking App Vulnerability Exposes Users to Man-in-the-Middle Attack
  A critical vulnerability (CVE-2025-45080) in YONO SBI Banking App v1.23.36 allows cleartext HTTP traffic, enabling man-in-the-middle attacks. The flaw, caused by an insecure Android manifest setting, exposes user credentials, transactions, and personal data to interception or tampering. Rated high severity (CVSS 8.8), it particularly risks users on public Wi-Fi. Researcher Ishwar Kumar confirmed unencrypted traffic via APK analysis and network tools. SBI has not yet released a patch as of July 2025. Users are advised to avoid public networks and monitor accounts until an update is available.
  Read full article: Gbhackers

• Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks – Update Now
  Critical vulnerabilities in PHP (CVE-2025-1735 and CVE-2025-6491) expose systems to SQL injection and denial-of-service (DoS) attacks. The PostgreSQL extension flaw (CVE-2025-1735, CVSS 9.1) allows SQL injection via improper error handling in escape functions, risking data breaches. The SOAP extension vulnerability (CVE-2025-6491, CVSS 5.9) crashes systems when processing oversized namespace prefixes (>2GB), causing DoS via segmentation faults. Affected PHP versions include those below 8.1.33, 8.2.29, 8.3.23, and 8.4.10. Patches address these issues by fixing error-checking mechanisms and libxml2 dependencies. Administrators must update immediately to mitigate exploitation risks. Researcher Ahmed Leksa identified the SOAP flaw.
  Read full article: Cybernews

In-Depth Expert CTI Analysis

This week’s threat landscape underscores escalating cybercrime sophistication and global enforcement responses, with U.S. agencies dismantling a $14.6 billion healthcare fraud network and sanctioning Russia-linked Aeza Group for enabling ransomware. State-aligned threats intensified as North Korean IT workers leveraged AI for sanctions evasion, Chinese APTs exploited IoT vulnerabilities, and pro-Russian hacktivists targeted critical infrastructure. Ransomware surged 213% YoY, fueled by rebranding groups like Hunters International and new RaaS models, while law enforcement disrupted €460 million crypto frauds and DPRK funding schemes. Critical vulnerabilities in Apache, Cisco, and PHP exposed systemic risks, emphasizing the need for rapid patching. Persistent supply-chain breaches and AI-driven phishing tools highlight evolving attack vectors, demanding crosssector collaboration and proactive defense strategies.

Proactive Defense and Strategic Foresight

Recent cyber incidents underscore the imperative for proactive defense and strategic foresight to counter evolving threats. The U.S. healthcare fraud initiative, leveraging AI and cross-agency data fusion, exemplifies preemptive risk mitigation through technology integration and dismantling silos. Similarly, sanctions against Aeza Group and Operation BORRELLI highlight the need for global collaboration to disrupt cybercrime ecosystems. North Korean IT worker schemes and Norway’s dam breach reveal adversaries’ exploitation of identity and infrastructure gaps, necessitating robust identity governance and OT/ICS monitoring. Ransomware’s 213% surge, novel malware like BUBBAS GATE, and AI-driven phishing tools demand continuous threat-hunting and adaptive controls. Strategic foresight requires prioritizing supply chain resilience, as seen in Switzerland’s Radix breach, and investing in behavioral analytics to counter DPRK’s AI-enhanced social engineering. Organizations must adopt threat-informed defense, aligning intelligence with proactive patching, zero-trust frameworks, and cross-sector threat sharing to mitigate escalating risks.

Evolving Ransomware and Malware Tactics

Ransomware operations continue to evolve rapidly with the rise of Ransomware-as-a-Service (RaaS) platforms like DragonForce, which enable affiliates to craft custom payloads with modular toolkits. New variants such as DEVMAN exhibit lateral movement using SMB, double-extortion, and experimental features like offline operation and self-encrypting ransom notes. Groups like Hunters International are strategically rebranding to avoid sanctions and law enforcement scrutiny. Malware loaders like BUBBAS GATE use advanced evasion techniques—indirect syscalls, PEB walking, and anti-VM—to bypass AV and EDR defenses. Zero-day exploits and supply-chain attacks remain key vectors, particularly in targeting critical infrastructure. State-aligned APTs increasingly exploit IoT and SOHO devices for stealthy surveillance, as seen with the LapDogs campaign. The line between cybercriminals and state actors is blurring through collaboration and shared tools. These evolving tactics call for behavioral detection, AI-powered threat hunting, and global coordination to contain cross-sector impacts.

State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-states leveraging criminal tactics for deniability and revenue, while cybercriminals adopt advanced tools from APT groups. North Korea’s IT worker fraud and ransomware operations fund weapons programs, while Russian-aligned groups like Aeza and pro-Iranian actors blend hacktivism with state objectives. Chinese espionage campaigns (e.g., LapDogs) exploit low-visibility devices, mirroring criminal infrastructure tactics. Ransomware surges and groups like Hunters International rebranding highlight adaptive strategies, often overlapping with state interests. This symbiosis complicates attribution, escalates threats to critical infrastructure, and demands global collaboration, enhanced defenses, and proactive intelligence-sharing to mitigate risks.

Operational and Tactical Implications

Operational and Tactical Implications: The surge in cross-sector cybercrime, including ransomware, fraud, and state-aligned espionage, demands enhanced inter-agency collaboration and AI-driven threat detection. Tactically, adversaries exploit cloud misconfigurations, IoT vulnerabilities, and AI-generated phishing to bypass defenses, necessitating zero-trust architectures and behavioral analytics. Critical infrastructure attacks highlight urgent needs for ICS/OT monitoring and rapid patch management. Ransomware groups’ rebranding and RaaS proliferation require proactive threat hunting and decryption capabilities. Geopolitically motivated hacktivism and state-sponsored campaigns underscore risks to global supply chains, urging stricter third-party vetting and international intelligence sharing. Organizations must prioritize identity security, phishingresistant MFA, and real-time threat intelligence to mitigate evolving hybrid threats.

Forward-Looking Recommendations

• Prioritize AI-driven fraud detection and inter-agency data fusion to combat evolving financial and healthcare fraud schemes.
• Adopt zero-trust architectures and enforce strict patch management for critical infrastructure, cloud services, and end-of-life devices.
• Strengthen ransomware resilience via multi-factor authentication, immutable backups, and proactive threat hunting for double-extortion tactics.
• Enhance international collaboration to disrupt state-aligned cybercrime networks exploiting cryptocurrency and AI-powered social engineering.
• Mandate third-party cybersecurity audits and secure cloud configurations to mitigate supply-chain risks and data exposure.
• Invest in behavioral analytics and deception technologies to detect advanced persistent threats targeting SOHO/IoT devices.
• Accelerate adoption of memory-safe languages and secure coding practices to address vulnerabilities in widely used enterprise software.
• Expand cross-sector threat intelligence sharing and red-team exercises to counter hybrid hacktivist-state actor campaigns.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite