VerSprite Weekly Threat Intelligence

Date Range: 09 June 2025 – 13 June 2025

Issue: 18th Edition

Security Triumphs of the Week

From global takedowns to bold investments, this week showcased how united efforts are winning against cybercrime. Interpol led a massive crackdown on info-stealing malware, dismantling 20,000 malicious IPs and arresting 32 suspects worldwide. Singapore’s authorities followed suit, wiping out over 1,000 cybercrime-linked IPs to clean up its digital landscape. Meanwhile, the U.S. struck a heavy blow by dismantling the DanaBot malware network and charging 16 individuals in a $50 million fraud operation. On a strategic front, the EU is investing €145.5 million to fortify cybersecurity in healthcare and public institutions. These wins prove that global cyber defense is getting stronger

• Interpol Targets Infostealers: Global Sting Hits 20,000 IPs, 32 Arrests Made
  Interpol has dealt a massive blow to cybercriminal operations by dismantling over 20,000 malicious IP addresses used in information-stealing malware campaigns. This effort, part of Operation First Light, resulted in 32 arrests across multiple countries. Authorities also notified over 216,000 victims globally, potentially preventing identity theft and fraud. The international collaboration underscores the growing effectiveness of cross-border cyber enforcement.
  Read full article: SecurityWeek

• Singapore Authorities Take Down 1,000+ Malicious IPs in Major Cybercrime Crackdown
  The Cyber Security Agency of Singapore (CSA) and law enforcement partners successfully identified and disabled over 1,000 IP addresses associated with phishing, malware distribution, and command-and-control operations. This nationwide cleanup initiative, involving both domestic ISPs and international support, highlights Singapore’s commitment to keeping its digital ecosystem safe. Victims and affected services were promptly alerted, limiting downstream damage.
  Read full article: Channel News Asia

• U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Cybercrime Case
  In a coordinated effort between U.S. and European law enforcement, the DanaBot malware infrastructure—active since 2016—has been dismantled. The operation culminated in 16 individuals being charged for their roles in stealing banking credentials, personal data, and conducting fraudulent transactions valued at over $50 million. This takedown disrupts a major threat actor ecosystem, showcasing the impact of persistent investigations.
  Read full article: Thehackernews

• European Union Allocates €145.5 Million to Strengthen Cybersecurity in Healthcare and Public Sectors
  The European Commission announced a €145.5 million investment aimed at bolstering cyber resilience across healthcare systems, public institutions, and essential services within the EU. These funds will go toward strengthening national and cross-border incident response teams, building security operations capabilities, and supporting cybersecurity innovation. The initiative is part of the Digital Europe Programme and reflects the EU’s proactive stance on digital safety.
  Read full article: Industrial Cyber

Security Setbacks of the Week

This week exposed a grim reality of the evolving cyber threat landscape. The notorious Predator spyware resurfaced with expanded corporate targeting, raising red flags across industries. A critical zero-click flaw in Microsoft 365 Copilot was uncovered, enabling silent data exposure without any user interaction. Threat actors repurposed TeamFiltration, a red team tool, for real-world attacks on Microsoft Entra ID accounts. Meanwhile, the FIN6 group weaponized LinkedIn and AWS-hosted fake resumes to deliver More_eggs malware, showcasing advanced social engineering. These events highlight a stark truth: attackers are growing smarter defenders must move even faster.

• Predator Spyware Still Active, Expands Reach into Corporate Environments
  The notorious Predator spyware has resurfaced, with new infrastructure tied to operations in Mozambique and resumed activity in Angola. Recent investigations revealed potential links between Predator clients and prominent commercial organizations. The Insikt Group flagged a concerning trend of spyware deployments targeting both dissidents and legitimate businesses. This reflects a dangerous fusion of political espionage and corporate surveillance.
  Read full article: Recorded Future

• Zero-Click AI Vulnerability in Microsoft 365 Copilot Exposes Sensitive Data
  A critical zero-click flaw in Microsoft 365 Copilot allows attackers to extract sensitive AI-generated content without any user interaction. By using malicious prompts, threat actors can bypass security controls and access private enterprise data. Experts warn that such AI integrations pose rising risks due to their deep data access and autonomous behavior. Microsoft is addressing the issue, but the incident underscores the dangers of rapidly deploying generative AI in business environments.
  Read full article: The Hacker News

• TeamFiltration Tool Exploited in Entra ID Account Takeover Campaign
  A sophisticated account takeover campaign, dubbed UNK_SneakyStrike, is weaponizing the legitimate red-teaming tool TeamFiltration to compromise Microsoft Entra ID (formerly Azure AD) accounts. The attackers use automation to exfiltrate user credentials and extract sensitive data stored across Microsoft cloud services. While TeamFiltration is intended for penetration testing, threat actors are abusing it to stealthily navigate environments without triggering traditional alerts. Security researchers warn that this trend reflects a growing misuse of offensive security tools by adversaries.
  Read full article: SecurityWeek

• FIN6 Lures Victims with AWS-Hosted Fake Resumes on LinkedIn to Spread Malware
  Cybercrime group FIN6 has launched a new social engineering campaign leveraging LinkedIn, uploading fake job resumes hosted on AWS to distribute the More_eggs malware. These malicious resume files are disguised as PDFs or Word documents, tricking HR professionals into unknowingly executing payloads. Once activated, more_eggs can establish persistence, harvest credentials, and move laterally within a corporate network. The blend of cloud infrastructure, social engineering, and trusted platforms like LinkedIn makes this campaign particularly dangerous and hard to detect.
  Read full article: The Hacker News

The New Emerging Threats

The cyber threat landscape continues to evolve with a wave of sophisticated malware and targeted campaigns. A Rust-based stealer dubbed Myth is duping gamers through fake download sites, aiming to hijack credentials and crypto wallets. Meanwhile, the Fog ransomware strain is turning heads with its unconventional and stealthy attack toolkit. A powerful new DuplexSpy RAT has surfaced, giving attackers full control over compromised Windows systems. North Korea’s Kimsuky group is now targeting social media influencers in an espionage twist. Most alarmingly, a new gang named Warlock is launching aggressive ransomware attacks on government agencies worldwide.

• Rust-Based Myth Stealer Malware Targets Gamers via Fake Download Sites
  A new strain of stealer malware dubbed Myth—written in the Rust programming language—is targeting gamers by disguising itself as legitimate game installers. Hosted on fake gaming websites, the malware spreads by tricking users into downloading malicious setup files. Once executed, it steals sensitive data like browser credentials, crypto wallet info, and system details from Chrome and Firefox. The campaign showcases a growing trend of using Rust for its evasion capabilities. Security researchers recommend verifying game sources and using strong endpoint protection.
  Read full article: The Hacker News

• Fog Ransomware Employs Unusual and Sophisticated Toolset
  A destructive new data wiper known as PathWiper has been used in cyberattacks against Ukrainian critical infrastructure in early 2025. The malware is designed to permanently erase files and disable systems, effectively halting operations across impacted sectors. PathWiper’s tactics resemble earlier nation-state wiper attacks but exhibit updated obfuscation techniques and anti-recovery features. Security analysts believe the campaign may be geopolitically motivated.
  Read full article: SecurityWeek

• DuplexSpy RAT Gives Full Remote Access to Windows Machines
  Security researchers have identified a new remote access trojan (RAT) named DuplexSpy, which enables full control over infected Windows devices. The malware includes capabilities such as keylogging, screen capturing, command execution, and file manipulation. It is stealthily deployed via phishing emails and malicious attachments. DuplexSpy’s modular architecture and persistence mechanisms make it highly evasive. Its emergence signals a renewed wave of sophisticated RATs targeting both businesses and individuals.
  Read full article: Malware.news

• Kimsuky APT Launches social media-Focused Espionage Campaign
  The North Korean-linked threat group Kimsuky has initiated a new campaign targeting social media users and influencers. The attackers are leveraging fake profiles and spear-phishing messages to deliver malicious links and payloads, aiming to steal login credentials and intelligence. This marks a strategic shift from their typical government targets to exploiting the trust dynamics on platforms like Twitter and Facebook. Cybersecurity teams are advised to watch for impersonation attempts and fake engagement tactics.
  Read full article: SecurityWorld

• Warlock Ransomware Gang Hits Government Agencies Worldwide
  A new ransomware group calling itself Warlock has emerged, launching disruptive attacks against government entities across Europe, Asia, and the Americas. The gang uses a mix of phishing and exploitation of unpatched systems to gain entry and deploy file-encrypting malware. Their ransom demands are steep, and in some cases, data exfiltration has been confirmed. The rapid spread and sophistication of Warlock’s tactics suggest a well-funded and organized threat actor.
  Read full article: Comparitech

In-Depth Expert CTI Analysis

This week presents a dynamic snapshot of global cybersecurity operations, where high-impact law enforcement takedowns are counterbalanced by the rise of sophisticated malware and state-backed threats. Interpol and U.S. authorities scored major victories against info-stealers and banking trojans, disrupting cybercriminal infrastructures worldwide. Conversely, the emergence of advanced malware like Myth Stealer, DuplexSpy RAT, and Fog ransomware demonstrates the increasing stealth and innovation used by threat actors. Meanwhile, Predator spyware’s return and targeted espionage campaigns underscore the blurred lines between state-sponsored cybercrime and corporate espionage.

Proactive Defense and Strategic Foresight

Global momentum in cyber defense is rising—but the threat surface is evolving just as quickly.

• Cross-border law enforcement collaboration is effective: Interpol and U.S. operations set a precedent for international cybercrime takedowns.
• Governments are investing strategically: EU’s massive funding in healthcare cyber resilience will likely set a trend across other critical infrastructure sectors.
• Corporate vigilance is essential: Zero-click vulnerabilities in AI platforms highlight the need for robust testing before mass deployment.
• Cloud abuse and social engineering are on the rise: LinkedIn and AWS misuse by FIN6 shows that trust-based ecosystems are new battlegrounds.
• Public-private collaboration should intensify: Timely sharing of IOCs and TTPs from law enforcement can help bolster enterprise defenses.

Evolving Ransomware and Malware Tactics

This week saw a shift from traditional attack patterns to more evasive, modular, and cross-platform techniques.

• Fog ransomware uses LOLBins and batch scripting, shifting from traditional ransomware behaviours.
• Myth Stealer leverages Rust language for better obfuscation and compatibility with modern platforms.
• DuplexSpy RAT is modular and persistent, capable of total Windows system control.
• Warlock ransomware gang targets governments globally, indicating a possible politically motivated agenda or highly organized operation.
• Use of red-teaming tools like TeamFiltration in live attacks reveals how penetration testing tools can be weaponized.

State-Sponsored and Organized Cybercrime Convergence

The convergence of APT-style operations and financially driven cybercrime is becoming a dominant threat model.

• Predator Spyware’s Continued Operation: The resurfacing of Predator spyware, now with infrastructure linked to nations like Mozambique and Angola, illustrates how commercial spyware is being weaponized beyond political surveillance.
• Kimsuky’s Strategic Shift: The North Korea-linked APT group Kimsuky is now targeting social media users and influencers, moving beyond traditional government and academic targets.

Operational and Tactical Implications

Security operations must pivot to account for stealth, abuse of legitimate platforms, and emerging toolsets.

• SOAR/SIEM Tuning: Update detection rules for Rust-based payloads, TeamFiltration behavior, and zero-click exploit patterns.
• Red-Blue Team Coordination: Emulate DuplexSpy and Fog ransomware techniques in purple teaming.
• SOC Readiness: Prepare for increased abuse of cloud services (e.g., AWS, LinkedIn) and trusted platforms.
• Phishing Defense: Enhance employee awareness training around fake resumes and social engineering threats.

Forward-Looking Recommendations

Defensive strategy must anticipate silent, modular, and hybrid threats, requiring a blend of behavior-based detection and policy reinforcement.

• Deploy behavioral analytics to detect new malware TTPs like those used in Fog ransomware.
• Audit and secure AI integrations (e.g., Microsoft Copilot) before enterprise rollout.
• Strengthen cloud platform monitoring to identify misuse of trusted services (LinkedIn, AWS).
• Prioritize cross-sector cyber drills involving healthcare, government, and finance.
• Participate in global threat intelligence sharing initiatives to stay ahead of rapidly evolving actors.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite