Skip to main content
Skip to footer
Stealth Falcon deploys Horus Agent against government and defense entities for espionage
In March 2025, Check Point researchers discovered a campaign orchestrated by the Stealth Falcon advanced persistent threat group targeting government and defence entities in Turkey, Qatar, Egypt, and Yemen. The attack leveraged a URL file that exploited a zero-day vulnerability, tracked as CVE-2025-33053, to execute the malware from an actor-controlled WebDAV server. Stealth Falcon deploys custom implants based on the Mythic framework, which are either derived from existing agents or Horus Agent. Initial infection was likely via spear phishing emails containing a URL as an archived attachment disguised as a PDF. The URL file runs a legitimate diagnostics utility for Internet Explorer while silently running code from the attacker-controlled WebDAV server to trick the utility into executing a malicious program. The executable is a multi-stage loader, dubbed Horus Loader, that opens a decoy PDF and deploys Horus Agent. CVE-2025-33053 was patched as part of Microsoft’s June 2025 Patch Tuesday.
Operation Enigma targets Brazilian users with malicious Chrome extensions
Since early 2025, Positive Technologies researchers observed a phishing campaign, dubbed Operation Enigma, leveraging malicious browser extensions to target Brazilian users. The emails are disguised as invoices and prompt recipients to download a file via a link or open a malicious attachment within an archive. Several file formats are used, including a BAT file that downloads and executes a malicious PowerShell script, an Inno Setup installer that runs a PowerShell script, or a MSI file that installs malicious Google Chrome, Microsoft Edge, or Brave browser extensions. The malicious extensions also collect basic system information that is sent to the C2 server. The extensions contain several JS files and a manifest file, with their URL patterns suggesting they belong to Banco do Brasil. Other variations of the attack deploy remote access tools such as Mesh Agent and PDQ Connect Agent instead of the malicious extension.
Operation DRAGONCLONE targets Chinese telecommunications industry with VELETRIX and VShell
Since March 2025, Seqrite researchers observed an ongoing campaign, dubbed Operation DRAGONCLONE, targeting the Chinese telecommunications company China Mobile Tietong with the VELETRIX loader and VShell malware. The malware is delivered via a multi-stage infection chain and begins with a malicious ZIP file containing various files, with DLL sideloading used against Wondershare Repairit software. Once installed, VELETRIX plays a beep noise to evade automated sandbox analysis and utilises the NtDelayExecution technique to delay execution and avoid detection. VELETRIX then uses DLL sideloading, IPFuscation, and code injection via a callback mechanism to install VShell in memory and establish C2 communication with the operator.The researchers observed infrastructure overlaps with the China-linked threat actors UNC5174 and Earth Lamia.
UNK_SneakyStrike ATO campaign leverages TeamFiltration to target Microsoft Entra ID accounts
Proofpoint researchers discovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Microsoft Entra ID user accounts. Since December 2024, the campaign has targeted more than 80,000 accounts across roughly 100 cloud tenants, resulting in multiple cases of successful account takeover. The attackers leverage Microsoft Teams API and Amazon Web Services servers located in various geographical regions to launch user-enumeration and password spraying attempts, with the United States, Ireland, and UK the main sources of malicious activity. TeamFiltration was created in January 2021 and helps automate several tactics, techniques, and procedures. The tool provides multiple features, including account enumeration, password spraying, data exfiltration, and backdooring via OneDrive.
GhostVendors scam campaign leverages Facebook Marketplace ads to impersonate major brands
Silent Push researchers discovered a fake marketplace scam campaign, dubbed GhostVendors, that has exploited more than 4,000 fraudulent domains to impersonate major brands and defraud consumers. The campaign abuses Facebook Marketplace ads and Meta’s Ad Library policy to promote scam offers, which are run temporarily before being taken down. The scam also uses domain generation algorithms to quickly create and abandon the scam sites. One observed Facebook Marketplace ad, using the name ‘Millaeke’, impersonated Milwaukee Tools and offered fake tool products. The page was observed running multiple ads, though after five days, all of the ads were removed from the Meta Ad Library. The researchers identified multiple other examples of Facebook Marketplace ads, operating under the names ‘Rabx-B’, ‘Tools Clearence’, and ‘Holiday Celebration Sale’, from the same threat actor and promoting domains that matched previous content fingerprinting.
Ransomware
BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal ConflictRapid7 – Jun 10 2025DarkGaboon Targets Russian Companies with Advanced Tactics, Deploys LockBit RansomwareTechNadu – Jun 09 2025Mapping Hidden Alliances in Russian-Affiliated RansomwareCTI Grapevine – Jun 06 2025Critical Fortinet flaws now exploited in Qilin ransomware attacksBleeping Computer – Jun 06 2025Qilin Ransomware Allegedly Targets 11 International OrganizationsDaily Dark Web – Jun 06 2025KELA Report – Unveiling Black Bastas Use of PhaaS PlatformsThreat Reports – KELA – Jun 04 2025
Financial Services
Five Men Plead Guilty for Their Roles in Global Digital Asset Investment Scam Conspiracy Resulting in Theft of More than $36.9 Million from Victims JusticeGov – Press Release – Jun 09 2025Over 20 Malicious Crypto Wallet Apps Found on Google Play, CRIL WarnsThe Cyber Express – Jun 09 2025From Nuisance to Strategic Threat: DDoS Attacks Against the Financial SectorThreat Reports – FS-ISAC – Jun 09 2025Everest Ransomware Group Allegedly Publishes Full Data Leak of Jordan Kuwait BankDaily Dark Web – Jun 05 2025Phishing e-mail that hides malicious link from Outlook users, (Wed, Jun 4th)DShield – Jun 04 2025
Geopolitics
Sleep with one eye open: how Librarian Ghouls steal data by nightKaspersky Lab – Jun 09 2025Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier TargetsSentinelLabs – Jun 09 2025Android Spyware Alert! Fake government app targeting Android users in India!K7 Security Labs – Jun 05 2025Newly identified wiper malware “PathWiper” targets critical infrastructure in UkraineCisco Talos Blog – Jun 05 2025BladedFeline: Whispering in the darkWeLiveSecurity – Jun 05 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-33053 | Windows | 8.8 | 8.4 | |
| Related: Microsoft patches actively exploited zero-day flaw | ||||
| CVE-2025-24016 | Wazuh | 9.9 | 6.0 | |
| Related: Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability | ||||
| CVE-2024-3721 | DVR-4216 | 6.3 | 5.7 | |
| Related: Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 | ||||
| CVE-2024-42009 | RoundCube | 9.3 | 3.4 | |
| Related: UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign | ||||
| CVE-2017-0199 | Office | 7.8 | 6.0 | |
| Related: Phishing campaign exploits Microsoft Office flaw and Excel files to deliver FormBook | ||||