Cyware Monthly Threat Intelligence, June 2025

The Good

In a significant boost to global cybersecurity resilience, the U.K. and Canada, backed by G7 leaders, launched the Common Good Cyber Fund to support nonprofits securing civil society groups and high-risk individuals against cyber threats, with grants managed by the Internet Society. In parallel, Microsoft introduced a free European Security Program to help EU governments counter state-sponsored threats using AI-powered threat intelligence and partnerships with Europol and others.

• A Common Good Cyber Fund was launched to support non-profits delivering critical cybersecurity services for public benefit. The fund is backed by the U.K and Canada, with G7 leaders endorsing similar initiatives to aid civil society groups combating transnational repression. The fund will focus on securing core digital infrastructure and providing cybersecurity assistance to high-risk individuals and groups. Managed by the Internet Society, the fund will have an expert advisory board to guide its grant programs, with further details to be announced. The initiative addresses threats to civil society, such as cyber surveillance and targeting, especially for journalists and human rights organizations.
• Law enforcement from six countries dismantled Archetyp Market, a darknet drug marketplace operating since May 2020, with over 612,000 users and €250 million ($288 million) in Monero transactions. The operation, "Deep Sentinel," led to the arrest of a German admin in Spain, a moderator, and six top vendors in Germany and Sweden. Authorities seized 47 smartphones, 45 computers, narcotics, and €7.8 million ($9 million) in assets.
• The UK government launched a Cyber Growth Action Plan to bolster cybersecurity and economic growth following recent high-profile cyberattacks on retailers like M&S, costing £300m ($404m). Led by experts from Bristol and Imperial College, the plan will review cyber goods, services, and emerging tech like AI. It includes £16m ($21.5m) for CyberASAP (£10m/$13.5m) and Cyber Runway (£6m/$8m) to support startups, aiming for 25 new spin-outs and £30m ($40.4m) in investment by 2030. The UK’s cybersecurity sector, generating £13.2bn ($17.8bn) in 2024, will feed into the National Cyber Strategy.
• The U.S. Department of Justice, with the FBI, Secret Service, Tether, and TRM Labs, seized over $225 million in cryptocurrency, the largest U.S. Secret Service crypto seizure, linked to investment scams and money laundering. Blockchain analysis traced funds from over 400 victims through a complex network of addresses. Tether froze and reissued the funds for forfeiture. The scam involved 144 OKX accounts, with one victim, a bank CEO, losing $47.1 million. Funds were laundered through 93 deposit addresses, 35 intermediary wallets, and seven final USDT wallet groups, incurring up to $125,000 in gas fees to obscure traceability.
• INTERPOL dismantled over 20,000 malicious IP addresses linked to 69 malware variants during Operation Secure, conducted between January and April 2025. The operation involved 26 countries and led to the takedown of 79% of identified suspicious IPs, the seizure of 41 servers, over 100 GB of data, and the arrest of 32 suspects. Vietnamese authorities arrested 18 individuals, while Sri Lanka and Nauru saw 12 and 2 arrests respectively. Confiscated items included devices, SIM cards, and $11,500 in cash. Hong Kong authorities identified 117 command-and-control servers used for phishing, fraud, and social media scams, hosted across 89 internet service providers.
• The NIST has released new guidance for implementing Zero Trust Architecture (ZTA), moving beyond the conceptual framework established in 2020. This publication aims to help organizations address implementation challenges, as ZTA adoption increases due to regulatory demands. The guidance includes 19 example implementations developed through collaboration with 24 industry partners, covering various models such as enhanced identity governance, software-defined perimeter, and microsegmentation. It emphasizes the need for customized ZTA solutions tailored to individual organizational environments and clarifies that the mention of commercial technologies does not imply endorsement by NIST.
• U.S. legislators introduced a bipartisan Healthcare Cybersecurity Bill to enhance the federal government’s role in preventing and addressing data breaches in the healthcare sector. The bill mandates collaboration between the CISA and the HHS to improve cybersecurity in healthcare and public health sectors. Key provisions include real-time cyber threat intelligence sharing, cybersecurity training for healthcare providers, creating a risk management plan, and identifying high-risk assets in the healthcare sector. The bill emphasizes proactive measures like infrastructure building, patient privacy protection, and national security defense. 
• The DOJ seized approximately 145 darknet and clear web domains linked to the BidenCash marketplace, which began operations in March 2022. Initially a low-profile credit card shop, BidenCash gained popularity by releasing free promotional dumps. With over 117,000 users, it trafficked over 15 million payment cards and generated $17 million in revenue, distributing 3.3 million stolen cards for free to attract customers. The stolen data included full card details and personal information. Authorities redirected the seized domains to law enforcement servers to prevent future criminal activity.
• Microsoft launched a free European Security Program aimed at enhancing cybersecurity for EU governments, particularly against threats from state-sponsored actors in Russia, China, Iran, and North Korea. The program utilizes AI to provide real-time threat intelligence, early warnings, and guidance on vulnerabilities. Microsoft plans to strengthen partnerships with Europol, the CyberPeace Institute, and ISPs to improve threat detection and disrupt cybercrime. 
• The DOJ, in collaboration with Dutch and Finnish authorities, seized four domains (AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru) providing crypting services to cybercriminals. These services help malware evade antivirus detection, enabling unauthorized access to systems. This operation, part of Operation Endgame, aims to dismantle cybercrime networks and follows recent disruptions of other malware like Lumma Stealer. 

The Bad

A wave of sophisticated cyber threats emerged this month, including a stealthy campaign targeting WordPress sites to deliver a Windows RAT via obfuscated PHP scripts and ZIP-based payloads. Another phishing campaign used fake installers for WPS Office and Sogou to drop the Sainbox RAT and a stealthy rootkit, linked to the Silver Fox group. Meanwhile, nearly 400 IPs launched brute-force attacks on Apache Tomcat Manager, exploiting CVE-2025-24813, signaling heightened pre-exploitation activity.

• A stealthy malware campaign has been discovered targeting WordPress websites to deliver a Windows-based RAT through a PHP backdoor. The infection chain involves obfuscated PHP scripts, IP-based evasion, and a malicious ZIP archive containing the trojan executable. The malware was found embedded in compromised WordPress environments, using legitimate-looking PHP files to deliver a trojan payload. The infection chain includes the use of header.php and man.php scripts, a batch file (update.bat), and a ZIP archive (psps.zip) containing client32.exe. The trojan establishes a covert connection to a C2 server at 5[.]252[.]178[.]123 on port 443.
• Netskope identified a phishing campaign using fake installers for software like WPS Office and Sogou to deliver malware targeting Chinese speakers. The malware includes Sainbox RAT, a Gh0stRAT variant, and Hidden rootkit, which provide attackers with control and stealth capabilities. The infection process involves MSI files executing legitimate software alongside malicious DLLs and shellcode payloads. The rootkit protects malware processes, conceals files, and evades security tools, granting attackers extensive control over compromised systems. Attribution to the Silver Fox group is based on consistent tactics and tools, though adversary attribution remains complex.
• The Citrix Bleed 2 vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway is reportedly being exploited in targeted attacks. This critical flaw allows unauthenticated attackers to perform out-of-bounds memory reads, potentially accessing sensitive data such as session tokens and credentials, thus bypassing MFA. Observations include hijacked Citrix sessions where attackers gained authentication without user interaction and conducted Active Directory reconnaissance. Additionally, another related vulnerability, CVE-2025-6543, is confirmed to be exploited for denial-of-service attacks on NetScaler devices.
• Cybercriminals are exploiting the popularity of CapCut by launching phishing campaigns that mimic CapCut invoices to steal Apple ID credentials and credit card information. Victims are redirected to a fake Apple ID login page, where credentials are exfiltrated to a C2 server. The phishing attack includes a second stage where victims are asked for credit card details under the guise of a refund, with the data being exfiltrated in plaintext. A fake authentication code prompt is used to delay suspicion and extend the attack window.
• The OneClik APT campaign targets the energy, oil, and gas sectors through phishing attacks utilizing Microsoft ClickOnce. This campaign deploys a .NET-based loader named OneClikNet, which installs a Golang backdoor called RunnerBeacon. The malware leverages cloud infrastructure, specifically AWS services, to evade detection by blending malicious activity with legitimate traffic. Key techniques include AppDomainManager hijacking, multi-layer encryption, and anti-debugging measures. The campaign has evolved through three variants—v1a, BPI-MDM, and v1d—each exhibiting increasing sophistication in evasion tactics and C2 obfuscation.
• IBM X-Force researchers identified targeted cyberattacks by China-aligned group Hive0154 deploying Pubload malware via phishing lures aimed at the Tibetan community. Campaigns coincided with culturally significant events like the Dalai Lama’s 90th birthday and the World Parliamentarians’ Convention on Tibet (WPCT). Hive0154 utilized spear phishing emails with Google Drive links containing weaponized ZIP/RAR archives, exploiting DLL sideloading to activate the Claimloader DLL and Pubload payload. Pubload malware features advanced techniques, including TripleDES decryption, reverse shell access, and dynamic API imports, showcasing Hive0154's technical sophistication.
• North Korean threat actors linked to the Contagious Interview campaign have published 35 malicious npm packages, six of which remain active. These packages have been downloaded over 4,000 times. The attack uses a malware loader called HexEval, which decodes and executes second-stage malware (BeaverTail) and third-stage backdoors (InvisibleFerret). This layered approach evades static analysis and manual reviews. Attackers employ typosquatting techniques, mimicking popular npm package names like react-plaid-sdk and vite-plugin-tools to deceive developers. HexEval Loader obfuscates C2 endpoints with hexadecimal encoding and uses conditional logic to selectively deliver malicious payloads. Some malicious packages, such as jsonsecs, include keyloggers for deeper surveillance across Windows, macOS, and Linux systems.
• APT36, also known as Transparent Tribe, has launched a sophisticated phishing campaign targeting Indian defense personnel. The campaign involves emails containing malicious PDF attachments disguised as official government documents. When opened, these PDFs prompt users to click a deceptive button that leads to a fraudulent URL, triggering the download of a malicious executable. The malware, written in C/C++, employs advanced techniques to evade detection, including anti-debugging and anti-VM measures, while conducting keylogging and browser data theft. This operation aims for long-term access to sensitive defense networks, with the attack infrastructure linked to a domain registered in Brazil.
• Attackers exploited Discord’s invite system by hijacking expired or deleted invite links, redirecting users to malicious servers. The attack used a fake verification bot and phishing sites to trick users into running harmful commands, downloading malware like AsyncRAT and Skuld Stealer. The malware spread through multi-stage infection chains using trusted services like GitHub and Pastebin to evade detection. Over 1,300 downloads were tracked globally, targeting cryptocurrency users and stealing credentials and wallet data. A parallel campaign targeted gamers, embedding malware in a Trojanized cheat tool for The Sims 4.
• The CISA issued an advisory regarding ransomware actors exploiting unpatched vulnerabilities in SimpleHelp RMM software, particularly versions 5.5.7 and earlier, which include CVE-2024-57727, a path traversal vulnerability. Since January, these vulnerabilities have been leveraged to compromise customers of a utility billing software provider. This vulnerability was leveraged in double-extortion attacks by Play ransomware gang and DragonForce, where sensitive data was stolen and files encrypted. CISA added CVE-2024-57727 to its KEV Catalog in February. Organizations using SimpleHelp are urged to assess their systems for unpatched versions and take appropriate actions to secure their networks against potential disruptions and data breaches.
• GreyNoise detected a significant coordinated attack on Apache Tomcat Manager interfaces, involving nearly 400 unique IP addresses. The attack included brute force attempts, with 250 IPs engaged in password-guessing attacks and 298 attempting unauthorized logins, far exceeding normal baseline activity. Most of the IPs were classified as malicious, primarily originating from DigitalOcean's infrastructure and spanning multiple countries, including the U.S., the U.K, and Germany. This campaign highlights a troubling trend of reconnaissance activities that often precede targeted exploitation, particularly given the critical Apache Tomcat remote code execution vulnerability, CVE-2025-24813, which has been actively exploited since March 2025.
• Cybersecurity researchers discovered a widespread campaign involving malicious code planted in over 130 open-source GitHub repositories, targeting cybercriminals and gamers. The operation focused on backdoored repositories disguised as game cheats, hacking tools, and other utilities, with malware hidden in obfuscated code. Four types of backdoors were identified: PreBuild, Python, screensaver (.scr), and JavaScript. The campaign employs automated workflows via YAML files to simulate repository maintenance. The threat actor uses Telegram bots for notifications and paste sites for intermediate infection stages.
• ViperSoftX malware is actively targeting cryptocurrency users, distributing PowerShell scripts to execute malicious commands, steal cryptocurrency wallets, and deploy additional payloads like Quasar RAT, PureCrypter, and PureHVNC. The malware is distributed via cracked software, key generators, illegal duplication programs, or torrent sites, affecting victims worldwide, including South Korea. ViperSoftX ensures persistence by leveraging task schedulers that execute obfuscated PowerShell scripts and registry-stored commands.

New Threats

New threats this month include a malicious Python package, "psslib", typosquatting the legitimate "passlib" library to trigger forced shutdowns on Windows systems, posing risks to developer environments. Unit 42 uncovered cyberattacks on African financial institutions (cluster CL-CRI-1014), where threat actors use open-source tools like PoshC2 and Classroom Spy for access, persistence, and surveillance, later selling access on the dark web. Meanwhile, a critical zero-click AI vulnerability, EchoLeak (CVE-2025-32711), was found in Microsoft 365 Copilot, enabling silent data exfiltration via prompt injection—highlighting growing risks tied to LLM misuse in enterprise settings.

• Socket discovered a malicious Python package named "psslib," which typosquats the legitimate "passlib" library. This package, published by the threat actor umaraq, forces Windows systems to shut down immediately upon incorrect password input, exploiting developer trust in security libraries. The malicious code uses the `os` module to execute shutdown commands, resulting in data loss and disruption. While effective on Windows, the shutdown command fails harmlessly on Linux and macOS systems, indicating a targeted attack on Windows development environments.
• Unit 42 researchers have reported a series of cyberattacks targeting financial institutions in Africa, identified as cluster CL-CRI-1014. Attackers leverage open-source tools such as PoshC2, Chisel, and Classroom Spy to gain initial access to networks, which they then sell on the dark web. These threat actors disguise their tools as legitimate applications to evade detection and employ techniques like remote services and PsExec for lateral movement. The attackers use PowerShell scripts to deploy Classroom Spy, allowing them to monitor and control compromised systems. Additionally, they utilize methods like creating services and scheduled tasks to maintain persistence within the targeted environments.
• Zscaler ThreatLabz researchers have identified a malware campaign using Black Hat SEO to manipulate search engine rankings for AI-related keywords, leading users to malicious websites designed to distribute malware like Vidar Stealer, Lumma Stealer, and Legion Loader. These sites exploit the popularity of AI tools, employing JavaScript to collect browser data and redirect victims through multiple layers to evade detection. The malware is often packaged in large installer files or password-protected ZIP archives to bypass security systems. Techniques such as browser fingerprinting and XOR encryption are utilized to obfuscate malicious activities, with the campaign linked to numerous deceptive domains and significant traffic since early 2025.
• A new malware campaign tracked as EvilConwi is actively abusing ConnectWise’s ScreenConnect software to distribute signed malware. This follows earlier exploitation of CVE-2024-1708 and CVE-2024-1709 in February 2024. Threat actors leverage poor signing practices and Authenticode stuffing to embed malicious configurations into legitimate ConnectWise installers. Since March 2025, there has been a surge in infections involving maliciously signed ConnectWise samples. Victims often report symptoms such as fake Windows update screens and erratic mouse movement. Infection vectors typically begin with phishing emails linking to Canva pages or Facebook ads, which lead to the download of trojanized ConnectWise installers.
• The Confucius APT group has introduced a new modular backdoor named Anondoor, aimed at enhancing its cyber-espionage capabilities. This sophisticated framework allows for the delivery of customized payloads while effectively evading traditional sandbox detection methods. Anondoor operates through a malicious .lnk file that downloads multiple payloads, including a C# DLL for the backdoor and a legitimate executable for execution. It collects detailed system information, such as OS version and IP addresses, and communicates with its C2 server using dynamic parameters to retrieve additional instructions.
• CyberEye is a .NET-based RAT with modular features like keyloggers, file grabbers, and clipboard hijackers, leveraging Telegram for C2 operations. The malware disables Windows Defender using PowerShell and registry manipulations to evade detection. CyberEye's builder GUI allows attackers to customize payloads with minimal technical expertise. Anti-analysis mechanisms detect sandbox, virtual machine, or debugging environments, terminating the malware to avoid detection. Credential theft modules target browsers, extracting passwords, cookies, and credit card information using decryption techniques. Specific modules like TelegramGrabber, DiscordGrabber, and SteamGrabber steal session data from popular platforms.
• Apple disclosed a zero-click vulnerability in its Messages app (CVE-2025-43200) that was exploited to target journalists with Paragon's Graphite spyware. This flaw, which allowed attackers to access sensitive data without user interaction, was patched on February 10. Notably, the spyware was used in sophisticated attacks against Italian journalist Ciro Pellegrino and another unnamed European journalist. Apple informed the victims of the targeted attacks, which were linked to state-sponsored entities. The spyware could be deployed via iMessages from a single Apple account, raising concerns about the misuse of such surveillance tools.
• The TokenBreak attack exploits vulnerabilities in text classification models by manipulating tokenization strategies. Specifically, it targets models using BPE (Byte Pair Encoding) and WordPiece tokenizers, which are prone to false negatives, allowing malicious input to bypass detection. In contrast, models employing Unigram tokenization remain unaffected. The attack works by subtly altering input text, preserving its meaning while evading protective models. Testing showed that models like BERT and RoBERTa are susceptible, while DeBERTa-v2 and v3 are not. This divergence between detection models and target LLMs highlights a significant security concern in content moderation systems, as manipulated prompts can lead to successful prompt injections.
• Proofpoint researchers uncovered an active account takeover campaign, UNK_SneakyStrike, leveraging the TeamFiltration pentesting tool to target Microsoft Entra ID accounts. The campaign exploited Microsoft Teams API, AWS servers, and applications like OneDrive and Outlook for user enumeration, password spraying, and data exfiltration. TeamFiltration, initially developed for legitimate penetration testing, has been weaponized for malicious activities, including persistent access via OneDrive and user account compromise. The UNK_SneakyStrike campaign has targeted over 80,000 accounts across 100 organizations since December 2024, using burst attacks and focusing on specific user subsets. The campaign’s primary source geographies include the U.S., Ireland, and Great Britain, with malicious activity linked to AWS-hosted IP addresses.
• A critical zero-click AI vulnerability named EchoLeak was discovered in Microsoft 365 Copilot, allowing attackers to exfiltrate sensitive data without user interaction. The flaw was reported to Microsoft in January and assigned the CVE-2025-32711 identifier. Microsoft fixed the issue server-side in May, stating there was no evidence of real-world exploitation. The attack involves a malicious email containing a hidden prompt injection that bypasses security measures, tricking the LLM into extracting internal data when the user interacts with Copilot. This vulnerability highlights a new class of risks associated with large language models, known as 'LLM Scope Violation,' which can lead to silent data exfiltration in enterprise environments.
• A new variant of the Chaos RAT, an open-source remote access trojan written in Golang and inspired by frameworks like Cobalt Strike and Sliver, is actively targeting both Windows and Linux systems. The malware provides a cross-platform administrative panel for payload generation, session management, and control of compromised machines. Chaos RAT is primarily distributed via phishing emails containing malicious links or attachments. Upon execution, it drops a script that modifies the "/etc/crontab" file to establish persistence by periodically fetching the malware. Early campaigns used Chaos RAT mainly for reconnaissance and information gathering, while deploying cryptocurrency miners like XMRig separately.
• Cisco Talos identified PathWiper, a destructive wiper malware targeting Ukrainian critical infrastructure, attributed to a Russia-linked APT group. The attackers used a legitimate administrative framework to deploy malicious VBScript and execute the PathWiper executable. PathWiper overwrites storage media and file system artifacts, including MBR and NTFS attributes, with randomized data. The malware demonstrates similarities to HermeticWiper but utilizes more advanced drive enumeration and corruption techniques.