Cyber OSINT Overview, Jun 23 - Jun 29, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The dual-use nature of Artificial Intelligence is a dominant theme, with extensive discussion on its application in both offensive and defensive cybersecurity. Attack vectors are evolving with AI-powered phishing, deepfakes, and malware generation, while defenders are leveraging AI for advanced threat detection and security analytics. Concurrently, the rise of agentic AI introduces new risks, such as prompt injection and vulnerabilities in orchestration protocols like MCP, prompting new security paradigms and regulatory actions like the proposed “No Adversarial AI Act.”

• A surge in Iranian cyber activity is being reported across government and private sector intelligence sources, directly linked to escalating geopolitical tensions. State-sponsored groups like APT35 and hacktivists such as CyberAv3ngers are conducting widespread campaigns targeting the US, Israel, and their allies. These operations include disruptive DDoS attacks, destructive wiper malware, sophisticated spear-phishing targeting journalists and academics, and exploitation of vulnerabilities in critical infrastructure and OT devices.

• The cybercrime group Scattered Spider (UNC3944) continues to be a major threat, recently shifting its focus to the aviation and transportation sectors. High-profile attacks on Hawaiian Airlines and WestJet have been attributed to the group. Their tactics consistently involve sophisticated social engineering to trick IT help desks, bypass multi-factor authentication, and gain initial access to corporate networks. The FBI and multiple security firms have issued urgent warnings, noting the group’s pattern of targeting entire industries before moving to the next.

• Critical vulnerabilities in widely used enterprise networking products, particularly from Citrix, are under active exploitation. A zero-day (CVE-2025-6543) in NetScaler ADC and Gateway allows for denial-of-service and potential control flow hijacking. Another flaw, CVE-2025-5777, has been dubbed “CitrixBleed 2” due to its similarity to a previously widespread vulnerability, enabling attackers to read sensitive memory and steal session tokens to bypass MFA. Security researchers are urging immediate patching as these vulnerabilities pose a significant risk of initial access and network compromise.

Critical Vulnerabilities #

• Multiple critical vulnerabilities in Citrix NetScaler ADC and Gateway are being actively exploited. CVE-2025-6543 is an exploited zero-day that can lead to DoS or unintended control flow. Concurrently, CVE-2025-5777, dubbed “CitrixBleed 2,” is an out-of-bounds read vulnerability that can expose sensitive data like session tokens, allowing attackers to hijack authenticated sessions and bypass MFA. Organizations are strongly urged to apply patches immediately to mitigate the high risk of compromise.

• Multiple high-severity vulnerabilities have been found in Cisco Identity Services Engine (ISE) and ISE-PIC releases 3.3 and later, which could allow for unauthenticated remote code execution. CVE-2025-20281 results from insufficient input validation in a specific API, allowing an attacker to execute arbitrary code as root via a crafted request. CVE-2025-20282 stems from a lack of file validation in an internal API, enabling an attacker to upload and execute arbitrary files, also gaining root privileges. There are currently no reports of active exploitation.

• CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for federal agencies. The vulnerabilities are CVE-2024-54085, an authentication bypass in AMI MegaRAC SPx; CVE-2024-0769, a path traversal flaw in D-Link DIR-859 routers; and CVE-2019-6693, a use of hard-coded credentials in Fortinet FortiOS. These vulnerabilities represent significant risks and are frequent vectors for malicious actors.

• Multiple critical vulnerabilities have been disclosed in Industrial Control Systems (ICS), posing significant risks. A critical authentication bypass flaw (CVE-2025-3699) in Mitsubishi Electric air conditioning systems allows attackers to gain full control and potentially tamper with firmware. Additionally, Schneider Electric’s EVLink WallBox chargers are vulnerable to path traversal and OS command injection (CVE-2025-5740), which could allow remote control of charging stations.

• An out-of-bounds read vulnerability has been identified in the TCG TPM 2.0 reference library specification (Revision 01.83). The flaw exists in the CryptHmacSign function and can be exploited by an authenticated local attacker sending crafted commands to a TPM interface. Successful exploitation could lead to information disclosure or a denial of service. The TCG has released an errata and updated reference code, and users should apply firmware updates from their hardware vendors.

• The Kaleris Navis N4 terminal operating system, used in the transportation sector, has critical vulnerabilities in versions prior to 4.0. An unsafe Java deserialization flaw (CVE-2025-2566) allows unauthenticated attackers to achieve remote code execution. Additionally, a cleartext transmission vulnerability (CVE-2025-5087) in the Ultra Light Client allows network observers to intercept sensitive data, including plaintext credentials.

• An actively exploited unauthenticated remote code execution vulnerability (CVE-2024-42640) affects the unsupported angular-base64-upload library prior to v0.1.21. The flaw exists in the demo/server.php file, allowing an attacker to upload and execute arbitrary content on the server. The vulnerability is being exploited in the wild, highlighting the risks of using unsupported or outdated open-source components.

Major Incidents #

• The sophisticated cybercrime group Scattered Spider has shifted its focus to the aviation industry, with Hawaiian Airlines and Canadian airline WestJet being recent targets. The group continues to use its signature TTPs, including advanced social engineering to trick IT help desks and bypass multi-factor authentication. Both Mandiant and the FBI have issued warnings, advising the entire transportation sector to harden systems and be on high alert for these targeted attacks.

• A ransomware attack by the Qilin group on Synnovis, a pathology services provider for London’s NHS, has been linked to a patient’s death. The attack, which occurred in June 2024, caused severe disruptions, leading to over 10,000 appointment cancellations. A long delay for a critical blood test result was identified as a contributing factor in the patient’s subsequent death, highlighting the severe real-world consequences of cyberattacks on healthcare infrastructure.

• Ahold Delhaize, the parent company of U.S. grocery chains Stop & Shop and Hannaford, reported that a November cyberattack compromised the data of over 2.2 million people. The incident, claimed by the INC ransomware gang, resulted in the theft of sensitive personal information including Social Security numbers, passport details, financial account data, and health information from internal employment records. The attack also caused operational disruptions, preventing customers from placing online delivery orders.

• A DOJ Inspector General report revealed that the Sinaloa drug cartel employed a hacker to conduct surveillance on an FBI official in Mexico. The hacker compromised cameras and phones to track the agent’s movements and meetings. This intelligence was then used by the cartel to intimidate and, in some cases, kill potential sources and cooperating witnesses involved in the investigation of drug lord Joaquín “El Chapo” Guzmán.

• United Natural Foods (UNFI), a major supplier for Whole Foods, suffered a significant cyberattack that disrupted its digital fulfillment and distribution systems. The incident, which began on June 5, caused operational delays and product shortages at grocery stores for weeks. The company has stated that the attack will have a material impact on its fourth-quarter income due to reduced sales and increased operational costs.

• American insurance provider Aflac has suffered a data breach carried out by what it describes as a ‘highly sophisticated’ group, suspected to be Scattered Spider. The attack may have exposed sensitive customer information including personal data, health details, Social Security numbers, and claims information. This incident is part of a broader campaign by the threat actor targeting the insurance industry, following a series of attacks on major retail companies.

Emerging Threats #

• Iranian state-sponsored threat group Educated Manticore (also known as APT42 or Charming Kitten) is conducting sophisticated spear-phishing campaigns against high-profile Israeli academics and cybersecurity experts. The attackers impersonate technology executives and researchers, using well-crafted emails and WhatsApp messages to lure targets. Victims are directed to fake login pages for services like Gmail to harvest credentials, including passwords and 2FA codes, in support of cyber-espionage operations.

• A Russian-linked threat actor, UAC-0226, has evolved the GIFTEDCROOK malware from a simple browser credential stealer into a sophisticated intelligence-gathering tool targeting Ukrainian government and military entities. The latest versions (1.2 and 1.3) feature comprehensive document exfiltration capabilities, targeting files modified within the last 45 days. The campaign uses spear-phishing with military-themed lures and exfiltrates data, including OpenVPN profiles, to attacker-controlled Telegram channels.

• A new mobile spyware campaign named SparkKitty has been identified on both the Apple App Store and Google Play Store, targeting both iOS and Android users. Believed to be linked to the earlier SparkCat campaign, the spyware is distributed through trojanized apps, including cryptocurrency tools and modified versions of popular apps like TikTok. Its primary function is to steal all images from a device’s gallery, likely using OCR technology to find and exfiltrate sensitive data such as cryptocurrency wallet seed phrases.

• Threat actors are exploiting the popularity of AI tools by using black hat SEO and social media platforms to distribute infostealer malware like Vidar and Lumma. Malicious campaigns on TikTok use AI-generated videos to trick users into downloading malware disguised as pirated software. Simultaneously, attackers are poisoning Google search results for terms like “ChatGPT” and “Luma AI” to direct users to fake websites that drop malware.

• A phishing campaign is abusing Microsoft 365’s Direct Send feature, which allows devices and applications to send emails without authentication. Attackers exploit this to spoof internal email addresses, making their phishing messages appear legitimate and bypassing standard security filters. This technique has been observed in attacks on over 70 organizations, primarily in the US, tricking employees into trusting malicious content from a seemingly internal source.

• Russian state-sponsored hackers have bypassed Google’s multi-factor authentication (MFA) by persuading high-value targets to generate and share app-specific passwords. The attackers, posing as US Department of State officials, used advanced social engineering to build trust and then guided victims through the process of creating a 16-digit app password. Because these passwords inherently bypass the second authentication factor, the attackers gained full access to the victims’ Gmail accounts upon obtaining the password.

• A new malware campaign leverages fake installers of popular AI tools like DeepSeek to deliver the Sainbox RAT and a hidden rootkit. Primarily targeting Chinese-speaking users via phishing sites, the attack uses MSI installers to drop legitimate software alongside the malicious payload. The malware uses DLL side-loading to execute the Sainbox RAT, a variant of Gh0stRAT, and a modified version of the open-source Hidden rootkit to maintain stealthy, persistent access to compromised systems.

Regulatory and Policy Updates #

• CISA and the NSA have released new joint guidance strongly encouraging the adoption of memory-safe programming languages (MSLs) such as Rust, Go, C#, Java, and Python. The guidance aims to reduce the prevalence of memory safety vulnerabilities, which constitute a major class of software flaws that are frequently exploited. It highlights the benefits of MSLs in providing built-in safeguards and outlines practical approaches for organizations to transition toward more secure software development practices, enhancing security by design.

• A bipartisan bill, the “No Adversarial AI Act,” has been introduced in the U.S. Congress to block federal agencies from procuring or using AI systems developed by foreign adversaries, with a particular focus on China. The legislation responds to national security concerns about AI companies, such as DeepSeek, with alleged ties to foreign governments and intelligence services. The bill aims to prevent potential espionage and data exposure by prohibiting the use of these AI models on government devices and within federal systems.

• NATO allies have formally agreed to increase their defense spending to 5% of GDP within the next decade. The new commitment includes 3.5% for core military spending and an additional 1.5% for broader resilience efforts. This latter portion can be allocated to civilian cybersecurity capabilities, critical national infrastructure protection, and supply chain security, reflecting an expanded definition of defense in response to modern threats.

• The U.S. House of Representatives has banned the use of WhatsApp on all employee devices, following a determination by its Office of Cybersecurity. The notice cited that the app poses a “high risk to users” due to a lack of transparency in its data protection methods, an absence of stored data encryption, and other potential security risks. This move reflects growing governmental scrutiny of the security practices of popular communication platforms.

• With the 2015 Cybersecurity Information Sharing Act (CISA) set to expire in September 2025, U.S. lawmakers are considering a short-term extension of the law. This act provides legal liability protections for companies to share threat intelligence with the government and each other. While a bipartisan Senate bill proposes a simple 10-year renewal, the House is reportedly considering modifications, making a temporary extension a likely compromise to avoid a lapse in the crucial information-sharing framework.

• Analysis by the EFF and Privacy Rights Clearinghouse reveals significant compliance gaps in state-level data broker registration laws. Hundreds of companies registered as data brokers in one state (e.g., California, Texas) have failed to register in others with similar laws (e.g., Oregon, Vermont). This inconsistency highlights the challenges of a patchwork of state regulations and raises questions about enforcement, as many firms may be operating without proper disclosure.

Security Operations #

• Microsoft has launched the Windows Resiliency Initiative to enhance system stability and security, partly in response to the 2024 CrowdStrike outage. A key change involves moving third-party security drivers, like antivirus, out of the Windows kernel and into user mode to prevent system-wide crashes. Additionally, Microsoft is replacing the “Blue Screen of Death” with a simplified black screen and introducing a “Quick Machine Recovery” feature to automate fixes for boot failures in Windows 11 24H2.

• Microsoft has released RIFT, an open-source tool designed to aid in the reverse engineering of malware written in Rust. As threat actors increasingly adopt Rust for its performance and security features, analyzing these complex binaries has become more challenging. RIFT helps analysts automate the identification of malicious code by differentiating attacker-written functions from the extensive standard library code compiled into Rust binaries, thereby improving the efficiency and accuracy of malware analysis.

• Security operations are adapting to the rise of AI agents, which presents new threat vectors that bypass traditional defenses. Cisco is developing a “Semantic Inspection Proxy” to analyze agent behavior and intent, rather than just code. This is critical as vulnerabilities are being discovered in the Model Context Protocol (MCP) servers used to connect LLMs to external tools, creating risks of remote code execution and prompt injection attacks if not securely configured.

• Let’s Encrypt is preparing to issue SSL/TLS certificates directly for IP addresses, a major development for securing services without a domain name, such as internal network devices and IoT endpoints. These certificates will have an ultra-short validity period of only six days, which promotes automation and significantly reduces the window of opportunity for misuse if a certificate is compromised. The feature is currently in a controlled, allowlist-only testing phase.

• Organizations are shifting from basic vulnerability prioritization to more action-oriented exposure management to address security backlogs. This approach emphasizes not just identifying which vulnerabilities are critical but also providing clear, prescriptive remediation guidance to development teams. By focusing on fixes that have the maximum impact, such as patching a base image to resolve multiple CVEs, and automating workflows, security teams can reduce technical debt and make measurable progress in reducing risk.

• A new malware trojan from combatshell[.]com was observed bypassing UAC, establishing persistence via startup folder and registry modification, and using dangerous Windows APIs for potential code injection and privilege escalation. The malware, identified as CombatShell.exe, checks for sandbox environments and hijacks msedge.exe to operate covertly. This highlights the need for robust endpoint monitoring and behavioral analysis to detect such multi-stage, evasive threats.

Wins #

• A major international law enforcement operation has resulted in the arrests of key figures behind the notorious BreachForums cybercrime marketplace. French authorities detained four individuals suspected of being part of the ‘ShinyHunters’ collective. Additionally, British national Kai West, alleged to be the prolific threat actor ‘IntelBroker’, was arrested in France and is awaiting extradition to the U.S. on charges related to numerous high-profile data breaches that caused over $25 million in damages.

• A series of global law enforcement actions, including the extensive “Operation Endgame,” has significantly disrupted the cybercrime ecosystem. These coordinated efforts have successfully taken down infrastructure associated with major malware loaders, botnets, and infostealers like Lumma Stealer and DanaBot. The operations also dismantled counter-antivirus services and seized domains for marketplaces like BidenCash, marking a significant win for international cybersecurity collaboration.

• Authorities in Africa have intensified their fight against digital sextortion, a rapidly growing form of cybercrime on the continent. A notable success was a major takedown in mid-2024 that dismantled 63,000 Instagram accounts in Nigeria used for sextortion schemes. This action, part of a broader effort reported by INTERPOL, highlights a significant move against the organized criminal networks that are increasingly weaponizing this tactic.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.