WEEKLY TOP TEN: June 02, 2025, 16:00 GMT
- Threat Actors Abuse Google Apps Script in Evasive Phishing Attacks
Researchers at Cofense have discovered a new phishing campaign that abuses Google Apps Script to host fraudulent login pages, leveraging the trusted google[.]com domain to appear legitimate and evade security tools. The attack begins with phishing emails masquerading as invoices, containing links to webpages hosted on script[.]google[.]com that present fake login screens designed to steal credentials.
Once victims enter their information, the malicious script captures the data and redirects users to legitimate Microsoft login pages to avoid suspicion. This tactic exploits the inherent trust users place in Google’s platform, making the phishing attempts more likely to succeed and bypass email security filters that typically allow Google subdomain traffic. - Police Take Down AVCheck Site Used by Cybercriminals to Scan Malware
An international law enforcement operation has taken down AVCheck, one of the largest counter-antivirus (CAV) services used by cybercriminals to test whether their malware evades detection by commercial antivirus software before deployment. The service allowed threat actors to upload malicious files and check their detection rates across multiple security products, helping them refine their malware to remain undetectable.
According to Dutch police, AvCheck was a critical component in the cybercriminal ecosystem, enabling attackers to optimize their payloads before launching attacks against victims. The takedown operation was coordinated by multiple agencies, including the FBI, U.S. Secret Service, and Dutch police. - Cybercriminals Camouflaging Threats as AI Tool Installers
Researchers at Cisco Talos have uncovered multiple threats masquerading as legitimate AI tool installers, including the CyberLock and Lucky_Gh0t ransomware families, along with a newly discovered destructive malware dubbed “Numero.” The attackers create lookalike websites with domains that closely mimic legitimate AI platforms like NovaLeads and InVideo AI, distributing malicious executables through fake download portals.
CyberLock ransomware, delivered via a fraudulent NovaLeadsAI installer, encrypts files and demands $50,000 in Monero while falsely claiming the funds support humanitarian causes, while Lucky_Gh0$t targets files under 1.2GB and is distributed through fake ChatGPT Premium installers. The Numero malware specifically targets the InVideo AI user base and renders Windows systems unusable by continuously manipulating GUI elements. - Mark Your Calendar: APT41 Innovative Tactics
Google’s Threat Intelligence Group has discovered that APT41 is using a new malware dubbed “TOUGHPROGRESS” that leverages Google Calendar for command-and-control communications, marking the latest evolution in the group’s tactics to blend malicious activity with legitimate services. The malware was deployed through a compromised government website and creates calendar events with encrypted data collected from infected hosts, while operators place encrypted commands in predetermined calendar events that the malware polls and executes.
This technique allows APT41 to evade detection by using Google’s trusted infrastructure for C2 communications, similar to their previous abuse of Google Sheets and Google Drive in other campaigns. GTIG has been actively monitoring APT41’s use of Google Workspace applications for several years and has terminated the attacker-controlled infrastructure and projects associated with these campaigns. - Ransomware Attack Triggers ‘SystemPumaBot: Novel Botnet Targeting IoT Surveillance
Researchers at Darktrace have identified a new Go-based Linux botnet named “PumaBot” that targets embedded IoT devices by brute-forcing SSH credentials rather than conducting internet-wide scans, marking a shift toward more targeted botnet operations. The malware receives curated lists of IP addresses and credentials from its command-and-control server (ssh[.]ddos-cc[.]org) and performs environment fingerprinting checks, including looking for the “Pumatronix” string associated with surveillance and traffic camera systems.
Once access is gained, PumaBot disguises itself as a legitimate Redis system file and establishes persistence through system service files while disabling logging to evade detection. The botnet demonstrates sophisticated evasion techniques and appears designed for long-term access rather than immediate exploitation, with researchers noting it may be part of a broader campaign to establish infrastructure for future attacks against IoT surveillance devices. - Interlock Ransomware Gang Deploys New Nodesnake Rat On Universities
The Interlock ransomware group has been observed deploying a previously undocumented remote access trojan named “NodeSnake” against UK universities, with QuorumCyber researchers identifying at least two attacks in January and March 2025. The Node.js-based RAT is distributed through phishing emails containing malicious links or attachments and demonstrates typical capabilities expected from modern RATs, including persistent access, system reconnaissance, and remote command execution. NodeSnake employs multiple evasion techniques and communicates with command-and-control servers via HTTP/HTTPS while also deploying secondary payloads to maintain control and facilitate further compromise.
The malware’s continuous development and deployment indicate Interlock’s evolution toward establishing long-term persistent access rather than solely pursuing immediate ransomware deployment, with the group previously targeting Texas Tech University, DaVita, and Kettering Health medical network. - GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
Security researchers at GreyNoise have found a complex backdoor campaign called “AyySSHush” that has affected more than 9,000 ASUS routers by using a mix of brute-force attacks, weaknesses in authentication, and a command injection flaw known as CVE-2023-39780. The attackers enable SSH access on a custom port (TCP/53282) and insert their public key into the router’s configuration, creating a persistent backdoor that survives firmware updates and reboots because the configuration is stored in NVRAM rather than on disk.
The campaign shows skilled tactics typical of advanced persistent threats (APTs), such as focusing on certain router models and using real ASUS features to stay hidden while turning off logging to avoid being caught. Although ASUS has patched CVE-2023-39780, devices compromised before updating will retain the backdoor unless administrators manually review SSH configurations and remove the attacker’s key, with GreyNoise recommending a full factory reset for suspected compromises. - Lumma Infostealer Down but Not Out
Despite a coordinated law enforcement operation by Europol, the FBI, and Microsoft that dismantled Lumma infostealer infrastructure on May 21, 2025, researchers at Check Point have observed signs that the malware-as-a-service operation continues to function. The takedown operation seized approximately 2,500 domains and disrupted the command-and-control infrastructure, but stolen credentials from Lumma-infected systems continue to appear for sale on underground markets, with automated Telegram bots offering hundreds of new logs for purchase.
Lumma’s developer has publicly claimed that operations have been restored and that no arrests were made, while the group attempts to rebuild infrastructure and maintain affiliate relationships despite the disruption. Check Point notes that while the technical damage is significant, the real test will be whether the operation can overcome the reputational damage and distrust sown among affiliates, similar to challenges faced by other disrupted cybercriminal operations like LockBit. - CFO Spear-Phishing Campaign Uses Netbird for Remote Access
Researchers at Trellix have identified a highly targeted spear-phishing campaign aimed at CFOs and financial executives across banking, energy, insurance, and investment sectors, impersonating Rothschild & Co. recruiters to deliver the legitimate remote access tool NetBird as a backdoor. The attack begins with emails containing fake PDF attachments that redirect victims to Firebase-hosted pages with custom CAPTCHA challenges, ultimately leading to the download of a VBS script that silently installs NetBird and OpenSSH while creating hidden administrator accounts and enabling RDP access.
The campaign demonstrates sophisticated social engineering by targeting high-value executives with carefully crafted recruitment offers while using legitimate signed binaries and trusted network protocols to evade detection. Trellix has observed partial infrastructure overlap with other nation-state spear-phishing campaigns, though no specific attribution has been made, and the group has targeted organizations across Europe, Africa, Canada, the Middle East, and South Asia, with potential expansion to U.S. companies anticipated. - VBulletin RCE Vulnerability Affects Protected Methods
Security researcher Egidio Romano at KarmaInSecurity has revealed a serious vulnerability that allows remote code execution before logging in, affecting vBulletin versions 5.x and 6.x that use PHP 8.1 or newer, due to incorrect use of PHP’s Reflection API in the platform’s controller logic. The vulnerability (CVE-2025-48827) comes from updates in PHP 8.1 that let ReflectionMethod::invoke() call protected methods without permission, allowing attackers to access internal API controller methods that should not be publicly available.
By exploiting the protected replaceAdTemplate() method in the vB_Api_Ad controller, attackers can inject malicious template code that bypasses input filtering and achieves remote code execution through vBulletin’s template engine. The researcher has confirmed the exploit works on multiple vBulletin versions, including 5.1.0, 5.7.5, 6.0.1, and 6.0.3.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
