Skip to main content
Skip to footer
Russia-linked UNC6293 phishing campaign targets ASPs of Russian critics
Citizen Lab and Google researchers detailed a recent Russian government-linked social engineering campaign that targeted prominent academics and critics of Russia. The campaign was active from at least April through June 2025 and leveraged social engineering tactics to convince users to share their App-Specific Passwords (ASPs). This enabled them to establish persistent access to the victims’ mailbox. The campaign targeted a prominent expert on Russian information operations, Keir Giles, in May 2025. The attacker sent an email purporting to come from a United States Department of State employee that asked him to create an ASP on a Google email account to access a secure document. The campaign has been attributed to UNC6293, who is believed with low confidence to be associated with APT29.
Hijacked Discord invite links used to deliver AsyncRAT and Skuld Stealer
Check Point researchers discovered an ongoing malware campaign that exploits expired and released Discord invite links to deliver AsyncRAT and a customised version of Skuld Stealer that targets cryptocurrency wallets. The attackers combine the ClickFix phishing technique with multi-stage loaders and time-based evasions such as execution delays via scheduled tasks. The campaign exploits a flaw in Discord’s invitation system, enabling the attackers to hijack expired or deleted invite links through vanity link registration and silently redirect users from trusted sources to malicious servers. Both the payload delivery and data exfiltration occur exclusively via trusted cloud services. An evolution in attack techniques has been observed, with the threat actors now also able to bypass Chrome’s App Bound Encryption.
Water Curse delivers SMTP email bomber and Sakura-RAT via weaponised GitHub projects
Trend Micro researchers discovered a new ongoing campaign exploiting GitHub to deliver multi-stage malware, such as an SMTP email bomber and Sakura-RAT. The malware enables data exfiltration, including credentials, browser data, and session tokens, remote access, and persistence. At least 76 GitHub accounts have been linked to the campaign, with the malicious payloads embedded in build scripts and project files presented as legitimate penetration testing tools. The infection chain involves obfuscated scripts written in Visual Basic Script and PowerShell, which are used to download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. Scheduled tasks and registry modifications are used to ensure long-term persistence. The campaign has been attributed to a new financially motivated threat actor, dubbed Water Curse.
XDSpy-linked XDigo malware used to target Eastern European and Russian government entities
Harfang Lab researchers analysed a campaign, ongoing since March 2025, targeting Eastern European and Russian government organisations with XDigo malware. The campaign is believed to be linked to Trend Micro’s recent discovery of cyberespionage actors hiding command line arguments within LNK files to execute malicious payloads. The infection chain involves the unzipping of an archive and opening the LNK file, which triggers a legitimate executable that sideloads a malicious DLL that serves as a downloader, dubbed ETDownloader. The identified XDigo samples are believed to be updated versions of the first versions documented in 2023. The activity has been linked to the XDSpy threat actor
Phishing campaign targets European organisations with Sorillus RAT
Orange Cyberdefense researchers detailed an ongoing campaign targeting European organisations with the Sorillus remote access trojan (RAT). The campaign was first identified in March 2025 targeting customers in Belgium but has since been linked to a larger campaign targeting organisations in Spain, Portugal, France, and the Netherlands. The campaign uses invoice-themed phishing emails for initial access. The phishing emails contain a OneDrive link that displays a PDF file which, once clicked on, redirects the victim to a malicious web server exposed with ngrok. The server performs checks on the victim’s browser and language settings to determine whether to proceed with the next stage of the infection. If the requirements are met, a JAR file is downloaded that attempts to establish persistence and leads to the installation of Sorillus RAT. Brazilian–speaking threat actors are likely behind the campaign.
Ransomware
Ransomware Gangs Collapse as Qilin Seizes ControlCybereason – Blog – Jun 17 2025BERT Ransomware Upgrades to Attacks Linux Machines Using Weaponized ELF FilesSiembiot – Jun 17 2025Anubis: A Closer Look at an Emerging Ransomware with Built-in WiperTrend Micro Research News Perspectives – Jun 13 2025The Spectre of SpectraRansomwareK7 Computing – Lab Blog – Jun 12 2025Fog Ransomware: Unusual Toolset Used in Recent AttackSymantec Enterprise Blogs – Jun 12 2025
Financial Services
SuperCard Malware Hijacks Android Devices to Steal Payment Card Data and Relay it to AttackersGBHackers On Security – Jun 18 2025Suspected Israeli hackers claim to destroy data at Iran’s Bank SepahReuters – Jun 17 2025Scattered Spider has moved from retail to insuranceThe Register – Jun 16 2025Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to UsersCheck Point Blog – Jun 16 2025Inside FluxPanel: How Phishing Enables Real-Time Ecommerce Checkout HijacksAbnormal Security – Jun 12 2025
Geopolitics
APTiran Allegedly Hits Israeli Critical Infrastructure with RansomwareDaily Dark Web – Jun 16 2025Cyber Escalation in Southeast Asia: AnonSecKh Targets ThailandThreat Reports – Radware – Jun 16 2025CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEyeTechNadu – Jun 14 2025Heightened Cyberthreat Amidst Israel-Iran ConflictThreat Reports – Radware – Jun 13 2025Sweden under cyberattack: Prime minister sounds the alarmEurActiv.com – Jun 11 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2023-0386 | Kernel | 7.8 | 5.1 | |
| Related: Linux kernel flaw actively exploited for root privilege escalation | ||||
| CVE-2023-33538 | TL-WR740N | 8.8 | 8.8 | |
| Related: TP-Link router and Apple iOS flaws actively exploited | ||||
| CVE-2023-28771 | ATP | 9.8 | 9.8 | |
| Related: High-severity Zyxel remote code execution flaw under active exploitation | ||||
| CVE-2025-3248 | langflow | 9.8 | 7.0 | |
| Related: Critical Langflow flaw exploited to deliver Flodrix botnet | ||||
| CVE-2025-4123 | Grafana | 7.6 | 3.5 | |
| Related: Over 46,000 Grafana instances exposed to recently patched account takeover flaw | ||||