Threat Research | Weekly Recap [29 Jun 2025]

This week’s cybersecurity recap highlights sophisticated state-sponsored espionage campaigns by North Korea and Iran, targeting financial, technological, and critical infrastructure sectors globally. Additionally, emerging malware, supply chain attacks, and phishing campaigns continue to evolve, including AI-related threats using prompt injection techniques. #APT38 #IranianCyberThreats #ContagiousInterview #CVE-2025-5777 #RapperBot

State-Sponsored Cyber Espionage & Geopolitical Threats

North Korean APT38 targets macOS: Lazarus Group’s subgroup APT38 uses Cosmic Rust malware to infiltrate financial sectors globally, aiding threat hunting via known C2 servers. APT38 Infrastructure Hunt Uncovers macOS Malware
Iranian cyber threat escalation: Iranian APTs and hacktivists increase destructive and espionage operations using spear phishing, vulnerability exploits, and AI-enhanced tactics amid geopolitical tensions. Threat Brief: Escalation of Cyber Risk Related to Iran
Educated Manticore targets Israeli tech academics: Iranian APT uses advanced phishing kits mimicking Google pages to harvest credentials and 2FA from Israeli targets. Iranian Educated Manticore Targets Leading Tech Academics
CyberAv3ngers blends attacks and propaganda: Iranian-aligned group conducts cyberattacks alongside psychological campaigns targeting Iran-Israel conflict zones. CyberAv3ngers: Infrastructure Hacks & Propaganda
Sysdig warns of Iranian state-sponsored attacks: APT35, APT33, and Pioneer Kitten pose increasing threats to cloud and Linux environments post U.S. strikes. Sysdig Threat Bulletin: Iranian Cyber Threats
Russia-sponsored UNC6293 phishing critics: Targeted ASP phishing campaigns impersonate the U.S. State Dept to gain persistent mailbox access, mitigated by Google’s advanced protections. ASP_Phishing_Targets_Critics_of_Russia
North Korean npm supply chain attacks: Contagious Interview campaign drops 35 malicious npm packages via LinkedIn social engineering for persistent keylogging and infostealing. North Korean Contagious Interview Campaign
TAG-140’s updated DRAT remote access Trojan: DRAT V2, a Delphi-based RAT with enhanced execution and obfuscation, targets Indian government espionage efforts. DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal

Phishing Campaigns & Credential Theft

Microsoft Entra ID OAuth phishing: OAuth workflow abuse by UTA0352 actor to compromise Microsoft 365, with token abuse and device registration methods analyzed for detection. Microsoft Entra ID OAuth Phishing and Detections
CapCut phishing targets Apple users: Fake invoice emails steal Apple IDs and credit card data via two-stage phishing and refund scams. CapCut Con: Apple Phishing & Card-Stealing Refund Ruse
SPID-themed phishing campaign in Italy: Attackers impersonate AgID requesting login credentials and identity document videos via a malicious site. New Phishing Campaign Themed SPID
HoldingHands RAT targets Taiwan: Malware distributed through phishing emails posing as official government messages, with complex loaders alongside other malware. Threat Group Targets Companies in Taiwan
XWorm and Katz Stealer via email storage abuse: Multi-stage malspam uses steganography and PowerShell obfuscation to deliver payloads through an Italian email provider. XWorm and Katz Stealer Distributed via Email Storage Space

Malware Developments & Advanced Persistent Threats

GIFTEDCROOK malware evolves: UAC-0226 upgrades infostealer to exfiltrate sensitive Ukrainian military data via Telegram, using spear-phishing with themed PDFs. GIFTEDCROOK’s Strategic Pivot
DeepSeek campaign delivers Sainbox RAT & rootkit: Fake Chinese software installers deploy stealthy malware attributed to Silver Fox group using MSI payloads. DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
Sparkkitty spyware targets mobile crypto wallets: iOS and Android malware exfiltrates images to compromise wallet seed phrases using advanced encryption and OCR. SparkKitty, SparkCat’s little brother
Havoc RAT variant targets Middle East critical infrastructure: Modular RAT with in-memory execution disguised as conhost.exe enables remote control over Windows hosts. Dissecting a Malicious Havoc Sample
Blind Eagle (APT-C-36) persists despite patches: Colombian sector attacks use WebDAV, Dynamic DNS, and Remcos RAT despite CVE-2024-43451 mitigations. Patch and Persist: Darktrace’s Detection of Blind Eagle
PowerShell loaders deliver Cobalt Strike: Script-based shellcode loaders with API hashing and DLL injection connect to global C2 infrastructure, primarily in China and Russia. PowerShell Loaders Deploy Cobalt Strike
ConnectWise abused for signed malware: Threat actors use Authenticode stuffing to evade AV by masking remote access malware with legitimate ConnectWise signatures. ConnectUnwise: Abusing ConnectWise as Builder
RapperBot IoT botnet adds extortion: Botnet targets weak IoT devices, employing encrypted C2 with DNS-TXT record resolution, now demanding protection fees. RapperBot IoT Botnet Adds Extortion

Exploitation & Supply Chain Attacks

CitrixBleed 2 vulnerabilities exploited: CVE-2025-5777 and CVE-2025-6543 actively exploited in Citrix NetScaler appliances, with urgent patching recommended to prevent session hijacking and DoS. CVE-2025-5777 & CVE-2025-6543: CitrixBleed 2 FAQ
Pickai backdoor targets AI supply chain: Lightweight backdoor infecting ComfyUI framework steals AI data, uses process spoofing and rotating C2 domains affecting Rubick.ai and users. Pickai AI Backdoor Supply Chain Attack
Malicious Python package typosquats passlib: Psslib forces Windows shutdown on wrong password, targeting developers reliant on legitimate passlib, highlighting supply chain risks. Malicious Python Package Typosquats Passlib

Web Exploits, SEO Abuse & Spam

South Korean servers exploited using web shells: File upload flaws leveraged to deploy WogRAT, SuperShell, and MeshAgent malware on Windows/Linux with advanced persistence and lateral movement. Attacks Targeting South Korean Web Servers
Black Hat SEO used to spread AI-themed malware: Zscaler uncovered campaigns poisoning search results to distribute Vidar, Lumma, and Legion loaders via complex redirections and fingerprinting. Black Hat SEO Poisoning for AI Malware Distribution
Hidden spam pages on WordPress sites: Attackers brute force admin access to insert spam for blackhat SEO, using malicious plugins to persist and evade detection. The Case of Hidden Spam Pages

Criminal Infrastructure & Tools Abuse

African financial sector targeted with open-source tools: CL-CRI-1014 group uses PoshC2, Chisel, Classroom Spy, and evasion tactics to compromise institutions and offer access on dark web markets. Cybercriminals Abuse Open-Source Tools in Africa
Top June 2025 cyberattacks leverage public platforms: GitHub abuse, obfuscated scripts and multi-stage malware like Braodo Stealer and Remcos highlight evolving attack vectors and detection tools. Top 3 Cyber Attacks in June 2025

Emerging Techniques & AI-related Threats

Malware prototype uses prompt injection: Skynet strain attempts AI prompt injection to evade detection and manipulate reverse engineering tools, signaling future AI-targeted evasion methods. In the Wild: Malware Prototype with Embedded Prompt Injection

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print