Behind every security alert is a bigger story. Sometimes it’s a system being tested. Sometimes it’s trust being lost in quiet ways—through delays, odd behavior, or subtle gaps in control.
This week, we’re looking beyond the surface to spot what really matters. Whether it’s poor design, hidden access, or silent misuse, knowing where to look can make all the difference.
If you’re responsible for protecting systems, data, or people—these updates aren’t optional. They’re essential. These stories reveal how attackers think—and where we’re still leaving doors open.
⚡ Threat of the Week
Google Releases Patches for Actively Exploited Chrome 0-Day — Google has released Google Chrome versions 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to address a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine that it said has been exploited in the wild. Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. “Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to a description of the flaw. It’s currently not known how the flaw is being exploited in the wild, although it’s likely to be highly targeted in nature.
🔔 Top News
PathWiper Used in Attack on Ukraine — An unnamed critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, which shares similarities with another wiper codenamed HermeticWiper that was used by the Russia-linked Sandworm hacking group at the outset of the Russo-Ukrainian war in early 2022. “The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, which was then used to issue malicious commands and deploy PathWiper across connected endpoints,” Cisco Talos said.
BladedFeline Targets Iraq with Whisper and Spearal Malware — An Iran-aligned hacking group dubbed BladedFeline has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. BladedFeline, believed to be active since at least September 2017, is suspected to be a sub-cluster within OilRig, a well-known state-sponsored threat actor that’s assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) that’s operational for over a decade. The attacks leverage an as-yet-undetermined initial access vector to deliver backdoors like Whisper (aka Veaty), Spearal, and Optimizer.
Vishing Group UNC6040 Targets Salesforce with Fake Data Loader App — A previously undocumented threat actor known as UNC6040 has leveraged voice phishing techniques reminiscent of Scattered Spider to breach targets of interest by posing as IT support personnel and trick employees into installing a modified version of Salesforce’s Data Loader app in order to obtain unauthorized access to their Salesforce data and exfiltrate it. The attacks are said to overlap with a loose-knit cybercrime collective known as The Com, of which the Scattered Spider threat actor is a part. Salesforce said the observed incidents primarily relied on manipulating end users, and that it did not involve the exploitation of any security vulnerability in its systems.
Chrome to Distrust Certs Issued by Chunghwa Telecom and Netlock — Google’s Chrome security team has announced plans to distrust digital certificates issued by Chunghwa Telecom and Netlock citing “patterns of concerning behavior observed over the past year.” The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. “Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” Google said. “When these factors are considered in the aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.” It’s worth noting that Apple has already moved to distrust root CA certificate “NetLock Arany (Class Gold) Főtanúsítvány” effective November 15, 2024.
Android Trojan Crocodilus Broadens Focus Beyond Spain and Turkey — A nascent Android banking trojan called Crocodilus is stealthily spreading onto Android devices around the world via fake banking apps, phony browser updates, and malicious ads promising fake rewards. While early campaigns mainly targeted Android users in Turkey, the malware has surfaced on devices in Poland, Spain, South America, and parts of Asia, signaling a sharp uptick in both its reach and sophistication. The malware now includes the ability to create new contacts in the victim’s address book, likely for social engineering, and to automatically harvest cryptocurrency wallet seed phrases from infected Android devices. Crocodilus is the latest reminder of malware authors continuing to adapt and trying to find new ways to get around Google’s defenses and infect Android devices, even as Google has been constantly adding a steady stream of new security features to counter the rising tide of malware faced by the ecosystem. Intel 471, in a report last week, highlighted an increase in Android malware incorporating hidden virtual network computing (HVNC), keylogging, and remote control functionalities, and a decrease in web injects. “While web injects remain at moderate levels, keyloggers that exploit Android’s accessibility services have become increasingly popular for harvesting sensitive data,” the company said. “Once this information is collected, malware operators often deploy HVNC to reconstruct the infected device’s screen on the server side, providing a real-time view of the victim’s activity.” This spike has also been complemented by a growing number of malware strains that are capable of bypassing Android 13 accessibility restrictions for sideloaded apps.
️🔥 Trending CVEs
Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-20286 (Cisco Identity Services Engine), CVE-2025-49113 (Roundcube), CVE-2025-5419 (Google Chrome), CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 (Qualcomm), CVE-2025-37093 (HPE StoreOnce), CVE-2025-48866 (ModSecurity WAF), CVE-2025-25022 (IBM QRadar Suite), CVE-2025-22243 (VMware NSX Manager), CVE‑2025‑24364, CVE‑2025‑24365 (Vaultwarden), and CVE-2024-53298 (Dell PowerScale OneFS).
📰 Around the Cyber World
SentinelOne Blames Outage on Software Flaw — American cybersecurity company SentinelOne revealed that a massive outage that took place on May 29, 2025, and lasted about seven hours was triggered by a software flaw that caused network routes and DNS resolver rules to be deleted. The outage affected multiple customer-facing services in what the company described as a global service disruption. “During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data,” it said. The root cause of the issue, it added, was a “software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform.”
Nigeria Jails 9 Chinese Nationals for Being Part of a Cybercrime Syndicate — The Federal High Court of Nigeria convicted nine Chinese nationals and sentenced them each to a year in prison for their roles in a cybercrime syndicate that allegedly involved training and recruiting young Nigerians to commit online fraud such as romance baiting scams. The individuals were arrested in December 2024 as part of an operation codenamed Eagle Flush, which resulted in the arrest of 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes and frauds. In February 2025, several Chinese and Filipino nationals were arraigned on charges of cyber-terrorism, possession of documents containing false pretense, and identity theft. They are said to be among the 792-member cryptocurrency investment and romance fraud suspects arrested in December 2024. China’s ambassador to Nigeria, Yu Dunhai, has proposed sending a working group to Nigeria to work with the country’s law enforcement agencies to dismantle Chinese cybercrime rings engaging in telecom frauds. “I can assure you […] that we have zero tolerance for this kind of crime. The Chinese government has always been committed to countering cybercrime and telecom frauds,” said Dunhai.
Bogus Airdrops Target Hashgraph Network Users — The U.S. Federal Bureau of Investigation (FBI) warned that scammers are targeting Hedera Hashgraph network users through the NFT airdrop feature embedded in non-custodial wallets to steal cryptocurrency using free rewards as lures. “The Hedera Hashgraph is the distributed ledger used by Hedera. The airdrop feature was originally created by the Hedera Hashgraph network for marketing purposes; however, cybercriminals can exploit this tactic to collect victim data to steal cryptocurrency,” the FBI said. The agency further noted that cyber criminals may advertise the malicious phishing URLs for fraudulent NFT airdrop rewards tokens on social media or through a third-party website. Alternatively, the threat actors may also send an email with a booby-trapped link that, when clicked, requests the victim to enter their credentials to collect the free tokens. However, this action allows them to gain unauthorized access to the wallets and drain the funds.
Threat Actors Use Fake Caching Plugin to Steal WordPress Admin Credentials — Bad actors have been found to leveraging a bogus WordPress caching plugin named wp-runtime-cache to harvest admin credentials and exfiltrate them to an external server (“woocommerce-check[.]com”) that masquerades as WooCommerce, an open-source e-commerce plugin for WordPress. While it’s currently not clear how the attackers managed to compromise the site, typical methods involve exploitation of known security flaws in plugins and themes, or stolen admin credentials (which is unlikely the case in this attack, given it’s exfiltrated to the attackers post infection). “As demonstrated here, once an attacker has gained access to a site it can be quite easy to hide their malicious activities,” Sucuri said. “This attack highlights the importance of auditing your site’s plugins and users, and maintaining updated admin passwords.”
Chinese Hackers Breached U.S. Telecom Company in Summer 2023 — Chinese hackers broke into the systems of an unnamed U.S. telecommunications company in the summer of 2023 and stayed there for seven months before the breach was discovered, Bloomberg reported. The intrusion has been attributed to the Salt Typhoon, which attracted attention late last year for its targeting of U.S. telecom firms. The incident indicates that Chinese attackers penetrated the U.S. communications system earlier than publicly known. China, however, denied the allegations, urging relevant parties to “stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”
German Data Protection Watchdog Fines Vodafone — Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed two fines totaling €45 million ($51.4 million) on Vodafone for privacy and security violations. “Due to malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers, among other things,” BfDI said. Of the €45 million penalty, €30 million was imposed for security issues in the authentication process associated with MeinVodafone (“My Vodafone”) and its Vodafone Hotline. “The identified authentication vulnerabilities enabled, among other things, unauthorized third parties to access eSIM profiles,” authorities said. Vodafone has updated its systems to mitigate such risks in the future, the BfDI added.
NSO Group Appeals $168 Million Damages to WhatsApp — Spyware vendor NSO Group has appealed a jury’s decision requiring it to pay about $168 million in damages to WhatsApp, saying the award is unlawful. The order was announced last month, more than five years after a lawsuit was filed over NSO Group’s alleged role in facilitating government spying on 1,400 mobile devices belonging to journalists, human rights activists, and political dissidents. According to NSO Group, WhatsApp should not be awarded more than $1.77 million. “The most plausible explanation for the oddly specific amount of the punitive damages award is that the jury chose that amount in an attempt to bankrupt NSO,” the Israeli company’s filing said. “The jury’s award comes close to wiping out all of NSO’s current ‘assets.'”
Mozilla Debuts New System to Flag Cryptocurrency Drainer Add-ons — Mozilla said it’s developed an “early detection system” to detect and block scam crypto wallet extensions before they gain popularity among users and are used to steal users’ assets by tricking them into entering their credentials. “The first layer of defense involves automated indicators that determine a risk profile for wallet extensions submitted to AMO [addons.mozilla.org],” Mozilla said. “If a wallet extension reaches a certain risk threshold, human reviewers are alerted to take a deeper look. If found to be malicious, the scam extensions are blocked immediately.”
iPhone Zero-Click Campaign Targets Users in Europe and the U.S. — Mobile research company iVerify revealed that it found evidence of anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies, and governments operating in the European Union and the United States. It said it detected “exceedingly rare crashes” that are traditionally associated with sophisticated zero-click attacks via iMessage using a previously undocumented vulnerability in the “imagent” process to carry out post-exploitation actions. The vulnerability has been codenamed NICKNAME. The issue, observed in iOS versions up to 18.1.1, was patched in version 18.3.1 released in January 2025. “The bug involves a race condition in how iOS processes ‘Nickname Updates,’ the feature that allows users to share personalized contact information with their iMessage contact,” iVerify said. It’s said that the shortcoming was exploited in targeted attacks as recently as March 2025, prompting Apple to send a threat notification to at least one device belonging to a senior government official in the E.U. on which the crash was observed. In total, a total of six devices are believed to have been targeted by the unknown threat actor, two of which exhibited “clear signs of successful exploitation.” What makes the activity notable is that all the identified victims were previously targeted by the China-linked Salt Typhoon hacking group. In a statement shared with Axios, Apple acknowledged the fix, but disputed that it was ever used in a malicious context. It described it as a “conventional software bug that we identified and fixed in iOS 18.3” and that “iVerify has not responded with meaningful technical evidence supporting their claims, and we are not currently aware of any credible indication that the bug points to an exploitation attempt or active attack.”
South Korea Targeted by ViperSoftX to Steal Crypto — Threat hunters have disclosed a new malware campaign that employs cracked software or key generators for legitimate software as lures to distribute a known stealer malware called ViperSoftX, alongside other malware families such as Quasar RAT, PureCrypter, PureHVNC, and a cryptocurrency clipper. “The ViperSoftX threat actor installs various PowerShell scripts in infected systems and uses them to download additional payloads,” AhnLab said. “This allows them to receive commands from the threat actor and perform various malicious behaviors.”
U.S. State Department Offers $10M for Info About RedLine Developers — The U.S. State Department has announced rewards of up to $10 million for information on individuals affiliated with the RedLine information stealer, which suffered a law enforcement crackdown in October 2024. This could include foreign government-linked associates of Maxim Alexandrovich Rudometov, or their malicious cyber activities, or foreign government-linked use of the stealer. Rudometov was charged by the U.S. Justice Department last year for his alleged role as the developer and for marketing the malware-as-a-service (MaaS) on underground forums such as Russian Market, which has emerged as one of the most popular platforms for buying and selling credentials stolen by information stealer malware. Also known by the aliases, “dendimirror,” “alinchok,” “ghackihg,” “makc1901,” “navi_ghacking,” and “bloodzz.fenix,” Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022. The development comes weeks after the disruption of another notorious information stealer named Lumma last month by law enforcement and private-sector companies. According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed. “In Q1 2025, Acreed surpassed every established infostealer in terms of Russian Market alert attribution, ranking second only to giant Lumma,” the company said. “Since the law enforcement takedown of Lumma in mid-May 2025, Acreed is perfectly positioned to rapidly gain traction as cybercriminals seek alternatives.”
Apple Allegedly Gave Governments Data on 1000s of Push Notifications — Apple provided governments around the world with data related to thousands of push notifications sent to its devices, according to a report published by 404 Media. The data for the first time puts a concrete figure on how many requests governments around the world are making for push notification data from Apple (and Google). The practice first came to light in late 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice, demanding more transparency into the practice. “The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” the letter read. “In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”
China Accuses Taiwan of Running 5 APT Groups with U.S. Help — China’s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan’s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china. “Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad,” CVERC claimed in a report titled Operation Futile. “They even attempt to disrupt social order and create chaos.” The groups, overseen by Taiwan’s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa). It also claimed that APT-C-67’s campaigns are geared towards collecting geographic intelligence, while stating APT-C-01 has “close ties” with the U.S. Cyber Command and that it focuses on “hunt forward” operations. The report coincided with China issuing warrants for 20 Taiwanese people that it said carried out hacking missions in the Chinese mainland on behalf of the island’s ruling party.
Colombian Cyber Criminals Linked to Vehicle Insurance Scams — Cybercriminals from Colombia have been attributed to a scam that involves creating a network of over 100 fake websites to deceive users seeking damage-precautionary and mandatory vehicle insurance. The intent is to lend the sites a veneer of legitimacy, exploit users’ trust, and convince them to make payments to “activate” their insurance. The scheme employs ads on Facebook, urging users to engage with the threat actors on WhatsApp. “The scammers redirect them to a fake website posing as a legitimate car insurance provider,” Group-IB said. “The site nudges users to enter their vehicle registration number, initiating a process that feels remarkably authentic. The scam’s effectiveness lies in validating the vehicle’s insurance status. The site denies the purchase if the insurance is still active, reinforcing its credibility as a legitimate service. However, if the insurance has expired, the site displays accurate vehicle details, making it almost impossible for users to suspect foul play.” It’s believed that the threat actors extract the vehicle status from public databases and government sites.
German Authorities Dox Leader of TrickBot — Germany’s Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has outed Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot (aka Wizard Spider) cybercrime gang. Kovalev was recently added to the E.U. Most Wanted list in connection with a law enforcement operation that led to the takedown of about 300 servers worldwide and neutralization of 650 domains last month. The development comes as a mysterious leaker calling themselves GangExposed revealed the key figures behind the Conti and Trickbot ransomware crews, including Conti’s lead negotiator Arkady Valentinovich Bondarenko. In a statement with The Register, the lecturer said the actions are part of their “fight against an organized society of criminals known worldwide.”
🎥 Cybersecurity Webinars
Hackers Are Hiding in Trusted Sites — Learn to Spot LOTS Attacks: Hackers aren’t breaking in—they’re blending in. In this live webinar, Zscaler’s top threat hunters will show how attackers are hiding inside trusted sites and tools to stay invisible. You’ll hear real stories from the front lines, learn what threats are trending right now, and get clear, practical tips to spot and stop stealth attacks before they spread. If you care about catching what your security tools are missing, don’t miss this.
Every AI Agent Has a Secret Identity — Learn How to Find It Before Attackers Do: AI agents are reshaping how businesses operate—but behind every agent is a hidden identity risk. From service accounts to API keys, these Non-Human Identities (NHIs) have deep access yet often go unmanaged and unmonitored. In this webinar, you’ll uncover how attackers are targeting these invisible identities and learn practical steps to secure them before they become your biggest blind spot.
🔧 Cybersecurity Tools
InterceptSuite: A tool that intercepts and inspects encrypted traffic from any app—not just web browsers. Built for deep visibility into TLS traffic across protocols, it gives security pros the power to analyze what traditional HTTP-only tools can’t see.
Malware Detection System A multi-layered system that detects malicious websites using static analysis, dynamic behavior monitoring, and threat intelligence APIs. It flags threats like phishing, malware, obfuscated scripts, and hidden content for real-time, accurate detection.
Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.
🔒 Tip of the Week
Block Malware Tactics Before They Start — Turn On ASR Rules → Most modern malware doesn’t rely on viruses—it abuses trusted tools like Word, Excel, and PowerShell to silently run in the background. Microsoft Defender’s built-in Attack Surface Reduction (ASR) rules stop these attacks by blocking dangerous actions like macros launching scripts or unknown apps accessing sensitive system parts.
Here’s how you can enable ASR protection in minutes:
Home & Power Users: Download ConfigureDefender — a safe, free tool that lets you enable all key ASR rules with just a few clicks. Open the app, choose the “High” or “Max” profile, and click “Apply Settings”. That’s it—your system is now protected against many common malware techniques.
Advanced Users or IT Admins: Use this PowerShell command to enable a critical ASR rule:
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
This one blocks Office apps from launching child processes—a common trick in ransomware delivery.
ASR rules don’t just block known malware—they shut down entire categories of risky behavior. They’re free, lightweight, and already built into Windows 10/11 Pro or Enterprise. Turning them on can prevent threats your antivirus may never catch.
Conclusion
This week’s takeaways are a reminder: threats rarely knock—they slip in. Every missed patch, strange behavior, or failed control is a step closer to something worse. If anything here hits close to home, don’t delay the fix. The next breach is often just a mistake left unchecked.
Source link
