Cyber OSINT Overview, Jun 16 - Jun 22, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The use of Artificial Intelligence in cybersecurity remains a dominant theme, with discussions covering both its offensive and defensive applications. Malicious uses include the creation of AI-powered deepfake scams, which has prompted legislative action in the U.S. Senate. Uncensored AI hacking tools, built on commercial models like Grok and Mixtral, are being sold on criminal forums for creating malware and phishing content. On the defensive side, AI is being integrated into Security Operations Centers (SOCs) to augment detection engineering, provide guided vulnerability remediation, and enhance threat analysis, shifting the focus from manual tasks to strategic decision-making.

• Geopolitical tensions are increasingly manifesting as cyber operations, with the Iran-Israel conflict being a prime example. Pro-Israel hacktivists launched disruptive attacks against Iran’s Bank Sepah and the Nobitex cryptocurrency exchange, while Iran implemented nationwide internet shutdowns to control information flow. Concurrently, a sophisticated Russian-sponsored threat actor has been targeting academics and critics of Russia. This group uses patient social engineering and novel techniques to bypass multi-factor authentication, highlighting the continued use of cyber espionage in international conflicts.

• Social engineering techniques for initial access are becoming more sophisticated and widespread. The “ClickFix” method, which tricks users into copying and executing malicious PowerShell commands, has seen a surge in use. Threat actors are leveraging this technique in multi-stage attacks to deliver various malware payloads, including loaders like GHOSTPULSE and commodity malware such as NetSupport RAT and infostealers. This highlights a continued reliance on human fallibility as a primary infection vector, bypassing traditional technical security controls.

• Software supply chain security is a critical area of focus, with significant vulnerabilities and attacks reported. A major vulnerability dubbed ‘GerriScary’ was discovered in Google’s Gerrit code review system, which could have allowed unauthorized code submission to projects like ChromiumOS, Dart, and Bazel. Additionally, researchers continue to find insecure GitHub Actions workflows in popular open-source projects, which could be abused for supply chain attacks. These incidents underscore the need for stringent access controls and secure configurations in development pipelines and third-party dependencies.

Critical Vulnerabilities #

• Multiple UEFI Secure Boot bypass vulnerabilities have been disclosed, posing a significant threat to firmware integrity. One flaw in DTResearch’s Dtbios and BiosFlashShell applications, signed by Microsoft’s UEFI CA, allows arbitrary code execution by modifying the ‘IhisiParamBuffer’ NVRAM variable (VU#806555). Another vulnerability in Insyde H2O firmware enables digital certificate injection via the unprotected ‘SecureFlashCertData’ NVRAM variable, also leading to Secure Boot bypass (VU#211341). As these attacks occur before the OS loads, they can evade EDR systems and lead to persistent kernel-level malware. Mitigation requires applying firmware updates and updating the UEFI Forbidden Signature Database (DBX).

• CISA has added several actively exploited vulnerabilities to its KEV catalog, mandating remediation for federal agencies and urging all organizations to patch. These include CVE-2023-0386, a privilege escalation flaw in the Linux kernel’s OverlayFS subsystem that allows unauthorized access to setuid files. Other additions include an unspecified vulnerability in multiple Apple products (CVE-2025-43200) and a command injection vulnerability in multiple TP-Link routers (CVE-2023-33538). The active exploitation of these vulnerabilities poses a significant risk for account takeover, data theft, and network compromise.

• An easily weaponized vulnerability in Grafana (CVE-2025-4123) could allow arbitrary code execution. The flaw combines a client path traversal and an open redirect, enabling an attacker to execute arbitrary JavaScript via a malicious frontend plugin. The vulnerability does not require editor permissions and works even with anonymous access enabled, posing a significant risk of account takeover. If the Grafana Image Renderer plugin is installed, the open redirect can be escalated to a full-read Server-Side Request Forgery (SSRF). Organizations are urged to update to Grafana version 10.4.19 or newer.

• A critical supply chain vulnerability, dubbed GerriScary (CVE-2025-1568), was discovered in Google’s Gerrit code review platform. The flaw stemmed from misconfigured permissions that allowed any registered user to push code changes to at least 18 major Google projects, including ChromiumOS, Dart, and Bazel. An attacker could have injected malicious code into trusted build pipelines without requiring new code reviews or approvals, potentially compromising the software supply chain for these widely-used products. Google has since remediated the issue by changing label persistence configurations and restricting permissions.

• CISA has issued several advisories for critical vulnerabilities in Industrial Control Systems (ICS) from various vendors, posing a risk of remote code execution. Affected products include Fuji Electric Smart Editor (CVE-2025-32412, CVE-2025-41413, CVE-2025-41388) due to out-of-bounds read/write and buffer overflow flaws. Siemens Mendix Studio Pro (CVE-2025-40592) is vulnerable to path traversal, allowing arbitrary file modification. LS Electric GMWin 4 has multiple memory corruption issues (CVE-2025-49850, etc.), and Dover Fueling Solutions ProGauge MagLink LX consoles have a critical authentication bypass (CVE-2025-5310).

• An actively exploited zero-day vulnerability in WEBDAV (CVE-2025-33053) allows for remote code execution. The flaw enables a malicious URL file to sideload a DLL or EXE from an attacker’s server by specifying a legitimate local Windows executable but setting the current working directory to a remote SMB or WebDAV share. Microsoft addressed this in the June 2025 Patch Tuesday updates. Organizations should apply the patch immediately to prevent binary planting attacks that can bypass firewalls using WebDAV over HTTP/S.

Major Incidents #

• The insurance industry is facing a targeted campaign by sophisticated cybercrime groups, with a series of attacks on major firms. Aflac disclosed a breach on June 12 where attackers used social engineering to gain network access and potentially exfiltrated sensitive claims, health, and personal information. This incident follows similar attacks on Erie Insurance and Philadelphia Insurance Companies. The threat group Scattered Spider, known for its social engineering tactics and recent focus on the insurance sector, is suspected to be involved. Aflac stated the intrusion was contained within hours and no ransomware was deployed.

• Iran’s financial and communication infrastructure has been significantly disrupted by cyberattacks amidst escalating conflict with Israel. The pro-Israel hacktivist group ‘Predatory Sparrow’ claimed responsibility for attacking the state-owned Bank Sepah, causing service disruptions, and stealing over $90 million in cryptocurrency from Nobitex, Iran’s largest crypto exchange. In response to these and other threats, the Iranian government has imposed several nationwide internet blackouts, severely limiting citizens’ access to information and communication. Additionally, Iranian state TV was briefly hijacked to broadcast anti-regime protest footage.

• Researchers have uncovered a massive collection of 30 exposed datasets containing a total of 16 billion login credentials. The data, which includes credentials for major platforms like Apple, Google, Facebook, and Telegram, was likely harvested by infostealer malware. While the datasets were only exposed briefly and likely contain many duplicates, their existence in the hands of cybercriminals poses a severe risk for account takeovers, identity theft, and targeted attacks. This incident highlights the pervasive threat of infostealers and the importance of using unique passwords and multi-factor authentication.

• Krispy Kreme has disclosed a data breach that exposed a wide range of sensitive information for over 160,000 past and present employees and their families. The compromised data includes names, Social Security numbers, passport numbers, biometric data, and financial account information. The breach, which occurred in late 2024, highlights the significant amount of personal data that can be held by retail companies. Krispy Kreme is offering free credit monitoring and identity protection services to affected individuals.

• Cryptocurrency platform CoinMarketCap experienced a client-side attack where a vulnerability allowed malicious code to be embedded via a doodle image on its homepage. This code displayed a fraudulent wallet connection prompt to users, which looked identical to legitimate prompts on the site. The attack utilized the Inferno Drainer toolkit to siphon over $43,000 in various cryptocurrencies from approximately 110 victims who connected their wallets. CoinMarketCap has since removed the malicious content and patched its systems.

• A ransomware attack on Yes24, one of South Korea’s largest ticketing platforms, resulted in a four-day service outage. The disruption significantly impacted the entertainment industry, affecting online bookings for concerts, access to e-books, and community forums. The incident led to cancellations and delays for high-profile events. This attack underscores the vulnerability of critical online service platforms and their cascading impact on associated industries.

• The Oxford City Council in the UK suffered a cyberattack that disrupted multiple city services and potentially exposed the personal data of past election workers. The breach, which occurred over the weekend of June 7-8, was detected by automated security systems. As a precaution, the council took its main systems offline for a comprehensive security assessment, leading to service impacts throughout the following week. This incident highlights the ongoing cyber threats faced by local government bodies.

Emerging Threats #

• A sophisticated social engineering campaign, attributed to Russian government-sponsored actors (UNC6293/APT29), is targeting prominent academics and critics of Russia. The attackers impersonate U.S. State Department staff with convincing emails and domains, demonstrating unusual patience. A novel technique observed involves tricking targets into generating and sharing app-specific passwords (ASPs) for their Google accounts, which allows the attackers to bypass multi-factor authentication and gain persistent access. This method is highly targeted and difficult to scale, but represents a significant evolution in tradecraft.

• The “ClickFix” social engineering technique is rapidly gaining popularity as an initial access vector. This method manipulates users into copying and pasting malicious PowerShell commands into a Run or Terminal window, often under the guise of a CAPTCHA or system fix. It effectively bypasses many perimeter defenses by having the user initiate the malicious action. Recent campaigns have used ClickFix to deliver multi-stage payloads, including the GHOSTPULSE loader, NetSupport RAT, and infostealers like LUMMA and ARECHCLIENT2/SECTOPRAT.

• Cybercriminals are selling “uncensored” AI tools on hacking forums, which were found to be powered by jailbroken commercial large language models like xAI’s Grok and Mistral AI’s Mixtral. These tools are marketed for malicious purposes, such as crafting convincing phishing emails and writing credential-stealing malware. The sellers are wrapping the commercial APIs with system prompts that instruct the models to bypass their built-in guardrails. This development signifies a new trend where threat actors leverage powerful, commercially available AI technologies to create and distribute hacking tools.

• A novel tech support scam is using search parameter injection to display fraudulent phone numbers on the legitimate websites of major brands like Apple, Netflix, and Bank of America. Scammers buy sponsored search results that lead to a crafted URL for the brand’s actual support page. This URL injects the fake support number into the page’s search results field, tricking users into calling the scammers while they believe they are on the official website. This tactic is highly effective as it exploits user trust in the legitimate domain.

• The Prometei botnet is experiencing a resurgence with new Linux variants, indicating active development. This malware primarily conducts cryptocurrency mining (Monero) but also has credential-stealing capabilities. The latest versions feature a modular architecture, a backdoor for remote control, a domain generation algorithm (DGA) for resilient command-and-control (C2) communication, and self-updating capabilities for stealth and evasion. Prometei spreads laterally by brute-forcing credentials and exploiting vulnerabilities like EternalBlue.

• New variants of the KimJongRAT stealer have been identified, including a Portable Executable (PE) file version and a PowerShell-based implementation. Both infection chains begin with a Windows shortcut (LNK) file that downloads a dropper from a CDN. The malware is designed to steal victim information, browser data, and credentials from crypto-wallet extensions, FTP clients, and email clients. The use of legitimate CDN services and a multi-file approach helps the malware to mask its malicious activities and evade detection.

• Threat actors are targeting gamers with malware disguised as Minecraft mods, distributed via the Stargazers Ghost Network on GitHub. The campaign uses a multi-stage attack chain, starting with an undetected Java-based downloader. This downloader fetches a second-stage Java stealer, followed by a final .NET stealer with extended capabilities. The malware, developed by a Russian-speaking actor, highlights the risk of using unverified third-party game modifications and the challenge of detecting Java-based threats in sandboxed environments that lack the necessary runtime dependencies.

Regulatory and Policy Updates #

• A new bipartisan Senate bill, the ‘Preventing Deep Fake Scams Act,’ has been introduced to combat the rising threat of AI-driven financial fraud. The legislation proposes the creation of a task force chaired by the Treasury Secretary to study and report on AI-fueled scams. This task force would examine proactive measures for financial institutions, identify risks from AI misuse, and develop best practices and legislative recommendations to protect consumers, particularly seniors and families, from deepfake-enabled crimes.

• NIST has released Special Publication 1800-35, “Implementing a Zero Trust Architecture,” to provide practical guidance for organizations. The document expands on the concepts from SP 800-207 and offers a reference architecture focused on the Enhanced Identity Governance (EIG) approach. It includes a series of implementation examples demonstrating how different commercial products can be combined to build a compliant Zero Trust Architecture (ZTA). This guidance aims to help organizations move from theoretical concepts to tangible ZTA deployments.

• The Canadian government has introduced Bill C-8, an ‘Act respecting cyber security,’ which proposes significant amendments to the Telecommunications Act. The bill mandates that designated operators of critical services establish and implement comprehensive cybersecurity programs. Key requirements include mitigating supply-chain and third-party risks, reporting cybersecurity incidents to the government, and complying with any cybersecurity directives issued by authorities. This legislation marks a major step towards strengthening the security posture of Canada’s critical infrastructure.

• The European Union is advancing its cybersecurity framework through multiple initiatives. The Council of Europe has adopted a new blueprint to improve the management of large-scale cyber crises and incidents across member states. Additionally, the European Commission announced calls for proposals totaling nearly €150 million to boost cybersecurity resilience, with a specific €30 million fund to help hospitals and healthcare providers defend against threats like ransomware. These efforts are part of a broader strategy to strengthen the security of the EU’s digital ecosystem.

• WhatsApp has announced it will begin displaying targeted ads within its ‘Updates’ tab, moving away from its historically ad-free model. To personalize these ads, WhatsApp will use limited information such as user country, language, and followed Channels. For users who have linked their WhatsApp with other Meta accounts like Facebook or Instagram, the platform will also use cross-platform data and ad preferences. This policy change has raised privacy concerns, particularly in Europe, where privacy advocates anticipate it may lead to a ‘Pay or OK’ consent model similar to Meta’s other platforms.

• The UK’s Information Commissioner’s Office (ICO) has issued new draft guidance for manufacturers of smart home and IoT devices. The guidance clarifies that when companies use data collected from devices for their own purposes, such as service improvement or user profiling, it falls under UK GDPR regulations and is not exempt as ‘domestic use.’ Manufacturers must obtain clear user consent for such data processing, be transparent about what data is collected and why, and allow users to withdraw consent at any time. The guidance also references existing PSTI regulations for device security, including unique passwords and encryption.

Security Operations #

• Several organizations are providing practical frameworks and guidance to help security teams mature their programs. NIST’s new SP 1800-35 offers a reference architecture and real-world examples for implementing Zero Trust. For data protection, SANS has outlined a four-phase journey for building a Data Loss Prevention (DLP) program, starting with understanding business needs and achieving quick wins. These resources aim to help practitioners translate high-level security concepts into actionable, phased projects that deliver value and gain stakeholder buy-in.

• A report from the Cyber Resilience Corps is calling for a major expansion of volunteer cybersecurity assistance for ’target rich, resource poor’ community organizations such as hospitals, schools, and local governments. The report suggests a new model where cybersecurity responsibilities are shared between these organizations and more capable actors in government and the private sector. Recommendations include maturing existing volunteer programs, creating state-level shared security services, and pushing technology manufacturers to build more secure-by-design products to reduce the burden on end-users.

• Facebook is rolling out support for passkeys on its mobile applications for iOS and Android, marking a significant step toward passwordless authentication for its vast user base. This will allow users to sign in using their device’s PIN or biometrics instead of a password, which is more secure against phishing and credential theft. The passkey support will also extend to Messenger for securing encrypted chats and to Meta Pay for authenticating payments. The rollout will be gradual, and initial support is limited to the mobile apps, not the website.

• The concept of ‘output-driven SIEM’ continues to be a relevant strategy for managing modern security operations. This approach advocates for ingesting logs into a SIEM only after establishing a clear purpose for their use, such as detection, context for investigations, or compliance. With the explosion of log volumes in 2025, a deliberate collection strategy is crucial for managing costs and preventing alert fatigue. While technologies like SOAR and AI can help manage high alert volumes, they do not replace the fundamental need for thoughtful data collection and high-quality, tuned detections.

• Effectively managing cloud risk requires a focus on data and secrets exposure. Tenable’s 2025 Cloud Security Risk Report indicates that 9% of public cloud storage contains sensitive data, and 54% of AWS ECS task definitions have secrets embedded in them. Key recommendations for security teams include continuously monitoring for public access, using dedicated secrets management tools like AWS Secrets Manager or Azure Key Vault, and employing an identity-aware Cloud Security Posture Management (CSPM) solution. A proactive approach should enforce least privilege and automate data discovery and classification to prevent exposures before they can be exploited.

• To mitigate newly discovered UEFI Secure Boot bypass vulnerabilities, system administrators must take immediate action. Multiple vendors are releasing firmware updates to patch the affected components from DTResearch and Insyde. Concurrently, Microsoft is updating the Secure Boot Forbidden Signature Database (DBX), which revokes the signatures of the vulnerable UEFI applications, preventing them from running on any compliant system. Organizations should prioritize deploying these firmware and DBX updates, which are available through OEMs, Microsoft, and the Linux Vendor Firmware Service (LVFS).

Wins #

• The U.S. Department of Justice has filed a civil forfeiture complaint to seize over $225.3 million in cryptocurrency obtained from widespread investment scams. This action represents the largest cryptocurrency seizure in the history of the U.S. Secret Service. The investigation was initiated following a tip from cryptocurrency exchanges Tether and OKX, which had identified approximately $250 million in funds traceable to these scams. The operation successfully traced funds from over 400 victims to a network of 144 accounts controlled by the perpetrators.

• Thai police successfully dismantled a criminal gang operating a ransomware and illicit gambling operation from a hotel in Pattaya. During a raid, authorities arrested at least 20 foreign nationals, including six Chinese individuals specifically tasked with distributing ransomware to infect Chinese companies. Police seized nine laptops and 15 mobile devices used in the operation. This takedown disrupts a significant organized crime effort that blended traditional vice with modern cybercrime.

• An international law enforcement effort, Operation Deep Sentinel, resulted in the shutdown of the Archetyp Market, a prominent dark web marketplace. This successful takedown disrupts a major platform used for trading illicit goods and services. The operation highlights the effectiveness of international cooperation in combating cybercrime infrastructure and dismantling criminal ecosystems on the dark web.

• A two-year cyberstalking case has been successfully concluded with a guilty plea from a Pensacola, Florida man. The perpetrator, Charles M. Schmaltz, used over ten social media accounts to harass and send obscene materials to multiple minor females in Florida and Alabama. The successful apprehension and prosecution were the result of a coordinated investigation involving the FBI and several local law enforcement agencies, demonstrating effective collaboration in combating online child exploitation.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.