Skip to main content
Skip to footer
Houken intrusion set exploited Ivanti zero-day flaws to access networks of French entities
In September 2024, the French Cybersecurity Agency (ANSSI) observed a new intrusion set, dubbed Houken, exploiting Ivanti Cloud Service Appliance vulnerabilities as zero-days to gain initial access to French entities’ networks. Among the flaws are CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, which were also exploited for remote arbitrary code execution. While the primary motivation appears to be access brokering, evidence of direct data theft and the installation of Monero cryptominers was also observed. Upon gaining access, the threat actors aimed to obtain credentials through the execution of Base64–encoded Python script. They also aimed to establish persistence by deploying or creating PHP webshells, modifying existing PHP scripts to add webshell capabilities, and occasionally installing a kernel module that acts as a rootkit. The attackers also performed reconnaissance activities, moved laterally, and attempted to self-patch web resources. ANSSI suspects that the Houken intrusion set it operated by the same threat actor previously described by Mandiant as UNC5174.
Microsoft 365 Direct Send feature abused to send phishing emails as internal users
Varonis researchers discovered a phishing campaign abusing Microsoft 365’s Direct Send feature to spoof internal users, without authentication. The campaign has been ongoing since May 2025, with over 70 organisations targeted with phishing emails to date, the majority of which are based in the United States. Observed phishing emails were made to resemble voicemail notifications containing a PDF attachment with a QR code that redirects users to a Microsoft 365 credential harvesting page. The attackers use PowerShell to send spoofed emails via the smart host to make the emails appear to come from a legitimate internal address. The technique is possible because no login or credentials are required, the smart host accepts emails from any external source, the only requirement is that the recipient is internal to the tenant, and the ‘from’ address can be spoofed to any internal user. As the emails are routed through Microsoft’s infrastructure, they will also bypass traditional email security controls.
Threat actors abuse legitimate Java utilities and oil-themed lures to distribute Snake Keylogger
Labs52 researchers discovered a new spear phishing campaign distributing the Russian origin infostealer, Snake Keylogger, under the guise of offering oil products. The phishing emails impersonate the Kazakhstan oil company LLP KSK PETROLEUM LTD OIL AND GAS and contain a zipped attachment that uses the legitimate ‘jsadebugd’ Java utility for debugging processes and DLL sideloading to load Snake Keylogger into a legitimate binary. Upon execution, the malware sends the IP of the computer along with the country of origin using legitimate websites, and exfiltrates passwords from multiple applications and browsers through SMTP protocol. The campaign is believed to either be targeting the oil industry or exploiting fears surrounding a possible increase in oil prices due to the possible closure of the Strait of Hormuz.
Phishing campaign impersonates global retail brands to steal online payment details
Silent Push researchers detailed an ongoing e-commerce phishing campaign impersonating major retail brands in an attempt to steal payment data from English and Spanish-speaking online shoppers. The campaign was first discovered by security researcher Ignacio Gómez Villaseñor during Mexico’s Hot Sale 2025 event but has since expanded to target a more global audience, with Apple, Harbor Freight Tools, and Michael Kors among the targeted brands. The threat actor also abuses online payment services, such as Mastercard, PayPal, and Visa, to process victims’ payments, with some of the phishing sites also including Google Pay purchase widgets. Some of the phishing pages appear convincing, featuring scraped product listings and fake checkout pages, while others include misspelled brand names and products that are not sold by the legitimate brands.
Phishing scheme impersonates US DOGE to steal personal information
CyberScoop and Proofpoint researchers observed a new phishing scheme impersonating the US Department of Government of Efficiency (DOGE). The campaign aims to steal personal information and exploit individuals who believe they will receive direct compensation from the department’s supposed efforts to cut down on waste, fraud, and abuse. Almost 1,800 email addresses and over 350 organisations affiliated with colleges and universities, transit entities, as well as government and other organisations, received the message. The email claimed to be from a DOGE agent belonging to the non-existent ‘Division of Government & Economic Development’, assigned the recipient a specific ID, and offered them the option to message a DOGE agent. The email contained a link that redirected to a WhatsApp chat with an individual who claimed to be a DOGE official authorised to issue tax refunds. The scammer then sent a PDF to fill out for the refund, likely to harvest personal information. IP addresses from the scheme appeared to be coming from southern Nigeria.
Ransomware
Hunters International ransomware shuts down, releases free decryptorsBleeping Computer – Jul 03 2025Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacksTheRegister.com – Jul 02 2025DEVMAN Ransomware: Analysis of New DragonForce VariantThreat Intelligence on Medium – Jul 01 2025Emerging Threat Actor: NightSpire RansomwareHalcyon.ai – Jul 01 2025Switzerland says government data stolen in ransomware attackBleeping Computer – Jun 30 2025Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seizedDataBreaches.net – Jun 30 2025Hide Your RDP: Password Spray Leads to RansomHub DeploymentThe DFIR Report – Blog – Jun 30 2025
Financial Services
Brazil’s C&M Software hit by cyberattack, central bank saysReuters – Jul 02 2025Crypto investment fraud ring dismantled in Spain after defrauding 5 000 victims worldwideEuropol – Jun 30 2025WEEVILPROXY: An evasive and sophisticated malware campaign silently targeting crypto users across the globeWithSecure Labs – Jun 27 2025Tracing Blind Eagle to Proton66SpiderLabs Blog – Jun 27 2025CapCut Con: Apple Phishing & Card-Stealing Refund RuseCofense – Jun 26 2025
Geopolitics
Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizationsMicrosoft – Security Blog – Jun 30 2025CISA and Partners Urge Critical Infrastructure to Stay Vigilant in the Current Geopolitical EnvironmentCISA Current Activity – Jun 30 2025GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering ToolThe Hacker News – Jun 28 2025Chinese Hackers Deploy Pubload Malware Using Tibetan Community Lures and Weaponized FilenamesGBHackers On Security – Jun 26 2025Operation Overload: More Platforms, New Techniques, Powered by AIThreat Reports – CheckFirst – Jun 26 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-6554 | Chrome | 8.1 | 6.0 | |
| Related: Google fixes fourth actively exploited Chrome zero-day of 2025 | ||||
| CVE-2025-32463 | sudo | 9.3 | 7.5 | |
| Related: Critical and high-severity privilege escalation flaws discovered in Sudo | ||||
| CVE-2025-5777 | NetScaler Gateway | 9.8 | 9.4 | |
| Related: Active exploitation of Citrix Bleed 2 identified | ||||
| CVE-2024-54085 | MegaRAC-SPx | 9.8 | 9.4 | |
| Related: Flaw in AMI MegaRAC that enables full control over server fleets actively exploited | ||||
| CVE-2025-48927 | Service | 5.3 | 5.3 | |
| Related: U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog | ||||