Cyber OSINT Overview, Jun 2 - Jun 8, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The security implications of Artificial Intelligence are a major focus, spanning multiple facets of cybersecurity. Discussions cover the use of AI by threat actors for creating sophisticated phishing, malware, and disinformation campaigns. Concurrently, the industry is grappling with how to secure AI systems themselves, addressing risks like prompt injection, data poisoning, and the security of LLMs and their supply chains. The rise of “Shadow AI” and AI agents with corporate credentials introduces new, complex attack surfaces and insider threat scenarios that traditional security tools are not equipped to handle.

• Ransomware remains a dominant and evolving threat, with multiple high-profile incidents and new operational tactics observed. Groups like Interlock, Play, and DragonForce are actively targeting critical sectors, including healthcare, causing significant disruptions. Threat actors are adopting new business models, such as the ‘ransomware cartel’ structure used by DragonForce, and are increasingly using legitimate-looking but malicious software installers as a delivery vector. In response, governments are implementing new policies, like Australia’s mandatory payment reporting, to increase transparency and combat the threat.

• Actively exploited vulnerabilities in widely used software and hardware remain a constant theme, prompting urgent patching advisories. CISA’s KEV catalog has been updated with several critical flaws affecting Google Chrome (V8 engine), Qualcomm chipsets, ASUS routers, and ConnectWise ScreenConnect, confirming they are being used in attacks. Beyond end-user software, significant vulnerabilities have been disclosed in enterprise and ICS/OT equipment from vendors like HPE, Hitachi Energy, Schneider Electric, and CyberData, posing risks of remote code execution and system compromise.

• Social engineering campaigns are evolving with new, sophisticated techniques designed to trick users into compromising their own systems. A prominent example is the ‘ClickFix’ tactic, which uses fake CAPTCHA verifications or system error messages on websites to manipulate users into copying and running malicious PowerShell commands from their clipboard. This method bypasses traditional file-based malware scanners. Separately, vishing (voice phishing) campaigns are targeting corporate employees, with attackers posing as IT support to persuade victims to install malicious software or grant OAuth access to sensitive platforms like Salesforce.

Critical Vulnerabilities #

• An actively exploited zero-day vulnerability, CVE-2025-5419, affects Google Chrome’s V8 JavaScript engine. This out-of-bounds read and write flaw could allow a remote attacker to achieve arbitrary code execution through a specially crafted HTML page. Google has confirmed in-the-wild exploitation and released patches in Chrome version 137.0.7151.68 and later. Due to its active exploitation, CISA has added this vulnerability to its KEV (Known Exploited Vulnerabilities) catalog, mandating federal agencies to patch.

• CISA has added three actively exploited zero-day vulnerabilities in Qualcomm chipsets to its KEV Catalog, indicating they pose a significant risk. The vulnerabilities, CVE-2025-21479 and CVE-2025-21480 (Incorrect Authorization) and CVE-2025-27038 (Use-After-Free), affect the Adreno Graphics Processing Unit (GPU) driver. These memory corruption flaws can be exploited by attackers to run malicious commands. Patches have been made available to OEMs, but end-user device protection depends on manufacturers pushing the updates.

• A zero-day privilege escalation vulnerability named “BadSuccessor” has been discovered in Active Directory domains that include at least one Windows Server 2025 domain controller. The flaw exists in delegated Managed Service Accounts (dMSAs) and can be exploited by an attacker with permissions to either create a new dMSA or modify an existing one’s msDS-ManagedAccountPrecededByLink attribute. Successful exploitation could lead to full domain compromise. Multiple public proof-of-concept exploits are already available.

• Multiple vulnerabilities have been found in popular Chrome extensions, exposing users to data leakage and account compromise. One research thread found that extensions like SEMRush Rank, Browsec VPN, and MSN New Tab transmit sensitive data such as browsing history and machine IDs over unencrypted HTTP. Another found that extensions from Avast, AVG, and Microsoft embed hardcoded credentials like API keys and secrets directly in their code. These flaws can be exploited to intercept data, pollute analytics, or abuse cloud services at the developer’s expense.

• A series of critical vulnerabilities (CVE-2025-37089 to CVE-2025-37096) in HPE StoreOnce software versions prior to 4.3.11 could allow for remote code execution. The flaws include RCE, authentication bypass (CVE-2025-37093, CVSS 9.8), server-side request forgery, and arbitrary file deletion. Chaining these vulnerabilities could lead to full system compromise. Although there are no current reports of in-the-wild exploitation, organizations are urged to apply the available patches immediately.

• Multiple Industrial Control Systems (ICS) are affected by high-severity vulnerabilities, posing risks to critical infrastructure. CISA advisories highlighted remotely exploitable flaws in CyberData SIP Emergency Intercoms (Auth Bypass, SQLi), Hitachi Energy Relion series (Integer Overflow in VxWorks), and Mitsubishi Electric MELSEC iQ-F Series (Improper Input Validation). Successful exploitation could lead to remote code execution, denial-of-service, or information disclosure. All affected organizations are advised to apply vendor patches and implement network segmentation.

• A critical post-authentication RCE vulnerability (CVE-2025-49113) has been disclosed in Roundcube Webmail versions before 1.5.10 and 1.6.11. The vulnerability stems from improper validation of the _from parameter, leading to PHP Object Deserialization. Reports indicate the vulnerability is being actively exploited, and a hacker has been seen selling an exploit. All users are strongly advised to update to the patched versions immediately.

Major Incidents #

• The healthcare sector continues to be a prime target for ransomware attacks, causing significant operational disruptions. Kettering Health, a major Ohio-based healthcare system, confirmed it was hit by the Interlock ransomware gang, leading to the shutdown of its electronic health record system and diversion of ambulances. The attack is part of a broader trend of cyber incidents impacting hospitals, including recent attacks on Central Maine Healthcare and a Catholic healthcare organization in New England, highlighting the sector’s vulnerability.

• A significant data leak involving 86 million AT&T customer records has resurfaced on cybercrime forums. The data, which appears to be from a previously disclosed breach in March 2024, includes full names, phone numbers, physical addresses, and an alarming 44 million Social Security numbers. Threat actors claim to have decrypted previously encrypted SSNs and dates of birth, presenting them in plaintext and increasing the risk of identity theft and fraud for affected individuals.

• The clothing retailer The North Face has disclosed its fourth credential stuffing attack, which occurred on April 23, 2025. Attackers used stolen username and password pairs from other breaches to gain unauthorized access to customer accounts on thenorthface.com. Compromised information may include purchase history, shipping addresses, names, dates of birth, and phone numbers. The company has since forced password resets for affected accounts but has not implemented multi-factor authentication (MFA) to prevent similar future attacks.

• An ongoing vishing campaign by a group tracked as UNC6040 is targeting Salesforce customers. Attackers impersonate IT support in phone calls to trick employees into installing a malicious version of the Salesforce Data Loader application. This grants the attackers OAuth access to the organization’s Salesforce environment, allowing them to exfiltrate large amounts of data. The group has been observed moving laterally to other cloud platforms like Microsoft 365 and Okta, with extortion attempts sometimes following months after the initial breach.

• Several major brands, including Adidas, Victoria’s Secret, and MathWorks (developer of MATLAB), have recently disclosed cybersecurity incidents. Adidas reported a data breach through a third-party customer service provider, exposing customer contact information. Victoria’s Secret took its website offline to address a potential ransomware attack. MathWorks also confirmed a ransomware attack that affected its IT systems and some customer-facing applications. These incidents highlight the broad threat to the retail and software sectors.

Emerging Threats #

• A sophisticated social engineering technique dubbed ‘ClickFix’ is being widely used in phishing campaigns. Attackers use deceptive prompts, often disguised as Cloudflare or Booking.com CAPTCHA verifications, to trick users into running malicious code. The technique involves a script on the malicious webpage that copies a PowerShell command to the user’s clipboard when they click a ‘verify’ button. The user is then instructed to open the Run dialog (Windows+R), paste the content (Ctrl+V), and execute it, leading to malware infection with payloads like AsyncRAT, XWorm, and various info-stealers.

• State-sponsored threat actors from China, Russia, and Iran are leveraging public generative AI platforms like ChatGPT for malicious activities. According to an OpenAI report, these groups use the AI for a range of tasks including social media disinformation, malware refinement, code debugging, and reconnaissance on targets. For example, Chinese APTs were observed researching the U.S. defense industry and satellite communications, while Russian actors used it to refine Windows malware. This indicates a strategic shift to incorporate AI as a force multiplier in espionage and cyberattack operations.

• Cybercriminals are increasingly packaging ransomware and infostealers inside installers for popular AI and business software. Recent campaigns have used fake websites and installers mimicking tools like ChatGPT, Nova Leads, and InVideo AI to distribute malware such as CyberLock and Lucky_Gh0$t. This tactic preys on the high demand for AI tools among small businesses and entrepreneurs, using SEO poisoning to make their malicious sites appear legitimate in search results. The trend highlights a growing attack vector where trusted brands and emerging technologies are used as a lure.

• A new wave of the Mirai botnet is actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR devices. The attack uses a single POST request to download and execute an ARM32 binary on the compromised device. This Mirai variant incorporates new features, including RC4 string encryption and anti-VM/emulation techniques, demonstrating continued evolution. The campaign highlights the ongoing risk posed by insecure IoT devices, which are often targeted for inclusion in botnets used for DDoS attacks and other malicious activities.

• A notable shift is occurring where ideologically-driven hacktivist groups are transitioning into financially motivated ransomware operations. Groups like FunkSec, KillSec, and GhostSec, which previously focused on DDoS and defacement for political causes, are now adopting Ransomware-as-a-Service (RaaS) models. This evolution creates a hybrid threat that merges disruptive tactics with the profit-driven efficiency of cybercrime, complicating attribution and defense strategies. The trend is fueled by the accessibility of ransomware tools and the high profitability of extortion attacks.

• A sophisticated malware distribution campaign has been identified using over 140 backdoored GitHub repositories to target novice cybercriminals and gamers. The repositories, posing as open-source malware like ‘Sakura RAT’ or game cheats, contain malicious PreBuild events in their Visual Studio project files. These events trigger a multi-stage infection chain that downloads and executes malware when the user attempts to compile the code. The campaign demonstrates a supply chain attack vector within the developer and gray-hat community.

• A new malware family named PathWiper is being used in destructive attacks against critical infrastructure in Ukraine, attributed to a Russia-linked APT group. The malware is deployed by compromising legitimate endpoint administration frameworks, which are then used to distribute the wiper to all connected systems. PathWiper is designed to permanently destroy data by overwriting critical NTFS file system components like the Master Boot Record (MBR) and Master File Table (MFT), rendering systems inoperable. This highlights the continued use of destructive cyber weapons in the ongoing conflict.

Regulatory and Policy Updates #

• A new executive order signed by President Trump is set to alter the U.S. government’s cybersecurity posture by rolling back specific policies from previous administrations. The order reverses requirements for federal software vendors to attest to NIST’s secure development guidelines, favoring collaborative guidance instead. It also revokes a provision promoting federal digital identity initiatives, citing concerns over fraud and access for undocumented immigrants. The order aims to refocus AI cybersecurity efforts on vulnerability management rather than what the administration terms ‘censorship.’

• Australia has implemented a new law requiring certain large organizations to report ransomware payments to the government. This mandatory disclosure aims to increase transparency around ransomware incidents and provide authorities with better data to understand and combat the threat. The move follows similar discussions in other countries and represents a significant regulatory step to address the growing impact of ransomware on the private sector.

• The UK’s National Cyber Security Centre (NCSC) has launched a new set of ‘Cyber security culture principles’ to help organizations improve their security posture. The guidance emphasizes that sustainable cyber resilience is achieved by embedding secure values and behaviors across the entire workforce, rather than relying solely on technical controls or one-off training. The principles provide a framework for leadership to foster a culture of shared responsibility and proactive cyber hygiene.

• The European Union has launched an International Digital Strategy to guide its external engagement on technology and security. The framework aims to promote a secure, rules-based digital transformation globally by expanding international partnerships and deploying an ‘EU Tech Business Offer.’ This strategy signals the EU’s intent to position itself as a key global player in shaping digital standards and governance, focusing on values like privacy and security.

• The U.S. Department of Homeland Security (DHS) is facing scrutiny from Congress over its decision to terminate the Mobile App Vetting (MAV) program, managed by CISA, in June 2025. The program evaluates the security of mobile apps for federal agencies. Lawmakers argue that ending the service sends the wrong signal, especially in light of recent mobile-centric threats like the Salt Typhoon campaign. The move has raised concerns about a potential gap in the federal government’s ability to assess mobile device vulnerabilities.

Security Operations #

• To address widespread confusion, major cybersecurity vendors Microsoft and CrowdStrike have announced a collaboration to align their threat actor naming taxonomies. This initiative aims to create a ‘Rosetta Stone’ that maps the different names used by vendors for the same APT and cybercrime groups (e.g., Midnight Blizzard and Cozy Bear). The goal is to help security professionals correlate intelligence from various sources more efficiently, improve confidence in attribution, and accelerate incident response. Google/Mandiant and Palo Alto Networks Unit 42 are also expected to contribute to this effort.

• YARA-X 1.0.0 has been released, marking a major milestone for the widely used pattern-matching tool. Rewritten in Rust, YARA-X offers significant advantages over the classic C-based version, including improved performance (5-10x faster for complex rules), memory safety to prevent common bugs, and better developer tooling like a built-in formatter. It maintains approximately 99% backward compatibility with existing YARA rules. As future feature development will focus exclusively on YARA-X, security teams are encouraged to begin migrating their workflows.

• A coalition including MITRE, Microsoft, and IBM has released the “Post-Quantum Cryptography (PQC) Migration Roadmap” to guide organizations through the complex transition to quantum-resistant algorithms. The document outlines a four-stage process: preparation, baseline understanding, planning and execution, and monitoring. This roadmap provides a structured framework to help CISOs and IT leaders proactively inventory cryptographic assets, assess risks, and implement the necessary tools to protect data from the future threat of quantum computers.

• Microsoft has enhanced its automated attack disruption capabilities to better protect critical assets like domain controllers. This feature now uses a risk-based framework to identify and disrupt multi-domain attacks in near-real-time, even from weak signals. By automatically classifying assets based on their role and applying contextual insights, the system can intervene earlier in the kill chain, significantly reducing attacker dwell time and preventing impact from attacks like human-operated ransomware.

• A Rapid7 incident response report for Q1 2025 indicates that stolen credentials for valid accounts without Multi-Factor Authentication (MFA) remain the leading initial access vector, accounting for 56% of all incidents investigated. This highlights a persistent and critical security gap in many organizations. Other significant vectors included exposed Remote Desktop Protocol (RDP) services and compromised Remote Monitoring and Management (RMM) tools, reinforcing the need for robust identity and access management and stringent control over external-facing services.

• Organizations are struggling with alert fatigue and a lack of visibility, making it difficult to distinguish real threats from noise in dynamic cloud environments. Security teams are often buried in alerts from disconnected tools, hindering effective risk prioritization. To combat this, experts recommend moving beyond static posture management to embrace runtime security, which provides real-time detection of active exploits. A unified exposure management approach that correlates data from across the attack surface can provide the necessary technical and business context to focus on preventable, exploitable, and high-impact risks.

Wins #

• A major international law enforcement operation has successfully dismantled the BidenCash carding marketplace, a notorious hub for trafficking stolen credit card data. Authorities seized approximately 145 domains associated with the platform, which had served over 117,000 customers and trafficked more than 15 million stolen card numbers, generating over $17 million in illicit revenue. The operation also included the seizure of cryptocurrency wallets used by the marketplace, striking a significant blow against the cybercrime economy.

• The U.S. Department of Justice has seized over $7.74 million in cryptocurrency linked to North Korea’s illicit IT worker scheme. The funds were being laundered by sanctioned North Korean officials who facilitated the employment of IT workers using stolen or fake identities at U.S. and international companies. This action is part of a broader U.S. government initiative to disrupt the financial networks that fund North Korea’s weapons programs, targeting a key revenue stream for the regime.

• In a significant cross-border law enforcement success, Nigerian authorities have convicted and jailed nine Chinese nationals for their involvement in a large-scale cybercrime syndicate. The group was found to be recruiting and training young Nigerians in online fraud, including romance and investment scams, as part of a cyberterrorism and identity theft operation based in Lagos. The convictions follow a major raid that resulted in hundreds of arrests and highlight international cooperation in tackling organized cybercrime.

• International law enforcement efforts have led to the arrest of four suspected key members of the 8Base ransomware group. The operation, named Phobos Aetor, was a joint effort involving the US, UK, Germany, France, and other nations. The suspects are accused of conducting over 1,000 cyberattacks worldwide using the Phobos ransomware and extorting more than $16 million. This action represents a significant disruption to a prolific ransomware operation.

• Microsoft has successfully remediated a DNS resolution logic issue within its Azure OpenAI service that could have enabled cross-tenant data leaks and meddler-in-the-middle attacks. The flaw stemmed from a misconfiguration where the service API did not enforce unique custom domain names for a specific domain, unlike the UI. This could have allowed an attacker to register a shared domain and potentially intercept API calls and sensitive data intended for legitimate Azure endpoints. The prompt fix prevents this potential attack vector.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is create in collaboration with BlackStork and is based on a free template available on GitHub.

Reach out if you have questions or suggestions.