Skip to main content
Skip to footer
UNC6040 vishing campaign targets Salesforce instances for credential theft
Google researchers detailed the threat actor UNC6040, a financially motivated threat cluster that specialises in vishing campaigns designed to compromise organisations’ Salesforce instances. UNC6040 impersonates IT support personnel to trick employees into installing a malicious version of Salesforce’s Data Loader and disclose sensitive credentials, which are used for lateral movement and to steal data from other cloud platforms such as Okta and Microsoft. In some instances, extortion activities have not been observed until several months after initial intrusion activity, suggesting that UNC6040 is working with another threat actor that monetises the stolen data. Other intrusions involved the use of tactics, techniques, and procedures that overlapped with ‘The Com’ hacker collective. UNC6040 has also claimed affiliation with the ShinyHunters hacker group, likely to increase pressure on their victims.
UNC5792 spear phishing attack targets Armenian civil society via Signal messenger
In early March 2025, CyberHUB researchers discovered a UNC5792 spear phishing campaign targeting individuals and organisations in Armenia’s civil society and public sector. The campaign used the ‘Armine Poghosyan’ persona to send Signal messages purporting to come from Armenia’s High-Tech Industry Ministry. The messages invite users to join a supposed ‘information platform’ on global and Armenian political events by clicking on a malicious link.
The URLs within the Signal messages were short-lived to reduce analysis. If a targeted victim informed the attacker that the link has expired, the attacker would immediately send a new, functioning URL.
Phishing campaigns abuse Glitch platform to target Navy Federal Credit Union members
From January 2025 to April 2025, Netskope researchers observed a 3.32x increase in traffic to phishing pages created on the Glitch platform. The campaigns have affected more than 830 organisations and over 3,000 users, primarily targeting Navy Federal Credit Union members and seeking sensitive information. Attackers abused Glitch’s features to host their phishing pages for free across multiple projects. Half of the campaigns abuse Telegram to exfiltrate victims’ data and capture one-time passwords (OTP). Some campaigns employ a custom-built CAPTCHA test, which redirects the victim to the phishing site. In other cases, the phishing pages mimic payment gateways to harvest credit card numbers and phone numbers before prompting the victim for an OTP.
Updated version of Crocodilus expands targeting
Threat Fabric researchers observed multiple new campaigns involving the Crocodilus Android banking trojan, with its target list now expanding beyond Spain and Turkey to also include additional European countries, Argentina, Brazil, the United States, Indonesia, and India. The malware is being spread via malvertising campaigns on social media, including through apps supposedly offering bonus points. The malware has been updated with improved obfuscation techniques used to hinder analysis and detection, including code packing for both the dropper and payload, additional XOR encryption of the payload, and convoluted code. Crocodilus can now also modify the contact list on an infected device, increasing the attacker’s control.
Global spear phishing campaign leverages NetBird to target financial executives
On May 15th, 2025, Trellix researchers discovered a spear phishing operation targeting CFOs and finance executives at banks, energy companies, insurers, and investments firms across Europe, Africa, Canada, the Middle East, and South Asia. The attackers aimed to deploy the remote access tool NetBird to establish persistence and further penetrate the victims’ networks. The attack begins with a phishing email impersonating a Rothschild & Co recruiter, which contains a supposed PDF file that is a phishing link that redirects to a Firebase app-hosted URL. Victims are then prompted to solve a custom CAPTCHA that, once solved, downloads a ZIP file that unpacks to a VBS script. Running the script executes a second VBS, which silently installs two Microsoft Installer packages, one containing NetBird and the other containing OpenSSH. The script then creates a hidden local account, sets the password to never expire, and ensures NetBird restarts on every boot via scheduled tasks.
Ransomware
New Honeywell 2025 Cyber Threat Report reveals ransomware surges 46 percent with OT systems as key targetsIndustrial Cyber – Jun 04 2025Updated Guidance on Play RansomwareCISA Current Activity – Jun 04 2025SafePay Ransomware Emerges as Most Prolific Threat Actor of May 2025TechNadu – Jun 04 2025From Ransomware to AdLoad: The Cyber Threats Targeting Today’s IT Supply ChainsITSupplyChain.com – Jun 04 2025Germany doxxes Conti ransomware and TrickBot ring leaderBleeping Computer – May 30 2025Dark Web Profile: NightSpire Ransomware SOCRadar – May 30 2025Cybercriminals camouflaging threats as AI tool installersTalos Intelligence Blog – May 29 2025
Financial Services
DCRat Targets Latin American Users to Steal Banking CredentialsHEAL Security – Jun 04 2025Cyber Criminals Defraud Hedera Hashgraph Network Non-Custodial Wallet Users Through Nonfungible Token Airdrops Disguised as Free RewardsInternet Crime Complaint Center – Jun 03 2025Cyber Bureau warns of phishing scams targeting bank and digital wallet usersKathmandu Post – Jun 02 2025Capital One Customers Targeted By Credential Harvesting Phishing CampaignKnowBe4 – Blog – May 29 2025Monkey-Patched PyPI Packages Use Transitive Dependencies to Steal Solana Private KeysSocket – May 29 2025
Geopolitics
China accuses Taiwan of running five feeble APT gangs, with US helpThe Register – Security – Jun 05 2025Global Conflicts in the Digital Age – How Geopolitics Influence Cyber OperationsThreat Reports – Silobreaker – Jun 04 2025Hidden Bear: The GRU hackers of Russia’s most notorious kill squadNCSC-FI Daily News – Jun 02 2025Meta Disrupts Influence Ops Targeting Romania, Azerbaijan, and Taiwan with Fake PersonasThe Hacker News – May 30 202585 Iranian cyberattacks linked to killing plots foiled in 2025, Israel saysIranIntl.com – May 29 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-5419 | Chrome | 8.8 | 6.0 | |
| Related: New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch | ||||
| CVE-2021-32030 | GT-AC2900 | 9.8 | 7.0 | |
| Related: CISA warns of actively exploited flaws in ASUS routers, ScreenConnect, and Craft CMS | ||||
| CVE-2020-14144 | Gitea | 7.2 | 6.0 | |
| Related: JINX-0132 targets DevOps servers to deploy XMRig in cryptojacking campaign | ||||
| CVE-2025-3755 | MELSEC iQ-F FX5S-80MR | 9.1 | 9.1 | |
| Related: Critical flaw in Mitsubishi Electric MELSEC iQ-F Series could enable denial-of-service attacks | ||||
| CVE-2025-5277 | aws-mcp-server | 9.6 | 8.4 | |
| Related: Critical OS command injection flaw discovered in aws-mcp-server MCP server | ||||