WEEKLY TOP TEN: June 16, 2025, 16:00 GMT
- First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
Citizen Lab has identified and confirmed the use of Paragon Graphite, a mercenary spyware tool developed by Israel-based Paragon Solutions, in targeted attacks on iPhones. This marks the first forensic evidence of Graphite being used in the wild. The spyware targeted journalists through a zero-click iMessage attack exploiting CVE-2025-43200, which Apple patched in the iOS 18.3.1 update.
Two journalists, a European journalist and Ciro Pellegrino, were compromised in early 2025 using the same ATTACKER1 iMessage account, indicating a single Paragon customer. The infections utilized WebDAV server summerartcamp[.]net and communicated with 46.183.184[.]91, matching Citizen Lab’s Fingerprint P1. Apple notified victims on April 29, 2025, prompting the forensic investigation. - Fog Ransomware: Unusual Toolset Used in Recent Attack
In May 2025, Fog ransomware operators targeted an Asian financial institution using an uncommon toolset rarely associated with ransomware campaigns. Tools such as GC2, Adaptix, and Stowaway were employed—each more commonly linked to espionage or red-team activity than typical ransomware operations.
The attackers maintained access for two weeks before deploying the ransomware payload. Notably, they created a new service after encryption to preserve long-term access—an atypical move for ransomware actors. The campaign used Process Watchdog to sustain the GC2 backdoor, while Syteca was deployed for keylogging. Evidence of tool removal suggests an effort to cover tracks post-operation.
This post-encryption persistence and focus on stealth indicate possible dual objectives: traditional financial extortion and long-term espionage. - EchoLeak: Critical Zero-Click AI Vulnerability in Microsoft 365 Copilot
Aim Labs discovered EchoLeak, a zero-click vulnerability in M365 Copilot exploiting “LLM Scope Violation” to automatically exfiltrate sensitive data without user interaction. Attackers send emails that bypass XPIA classifiers, use reference-style markdown to evade link redaction, then exploit SharePoint embedding service or Teams async gateway to bypass CSP and exfiltrate data.
The vulnerability allows access to emails, OneDrive files, SharePoint sites, and Teams chats simply by sending a malicious email. Aim Labs demonstrated “RAG spraying” techniques to maximize malicious content retrieval during user queries. - Stealth Falcon’s Exploit of Microsoft Zero-Day Vulnerability
Check Point discovered Stealth Falcon exploiting CVE-2025-33053 to target a Turkish defense company using a malicious .url file that manipulates iediagcmd.exe’s working directory to execute malware from WebDAV server summerartcamp[.]net (which is a strange coincidence from our first story).
The attack deploys Horus Agent, a custom Mythic C2 implant featuring RC4 encryption, anti-VM checks, and process injection capabilities. The loader uses Code Virtualizer protection, checks for 109 security products, and injects into msedge.exe. Microsoft patched the vulnerability June 10, 2025, adding 14 module hashes to the Secure Boot dbx. - Coordinated Brute Force Activity Targeting Apache Tomcat Manager
Analysts at GreyNoise observed coordinated attacks on Apache Tomcat Manager interfaces June 5, 2025, with 250 IPs attempting brute force and 298 attempting logins—far exceeding baseline levels of 1-15 and 10-40 IPs, respectively.
Approximately 400 unique IPs participated, primarily from DigitalOcean infrastructure, exhibiting narrow focus on Tomcat services. While not exploiting a specific vulnerability, this opportunistic activity often precedes targeted exploitation. Organizations should block malicious IPs and verify strong authentication on exposed Tomcat interfaces. - New Secure Boot Flaw Lets Attackers Install Bootkit Malware
Binarly’s Alex Matrosov discovered CVE-2025-3052, a Secure Boot bypass affecting systems trusting Microsoft’s “UEFI CA 2011” certificate, enabling bootkit installation. A legitimate BIOS utility signed with Microsoft’s certificate reads NVRAM variable IhisiParamBuffer without validation, allowing attackers with admin rights to write arbitrary data during boot.
Binarly’s PoC zeros the gSecurity2 variable to disable Secure Boot and execute unsigned modules. Microsoft patched it on June 10, 2025, while the vulnerable module has been circulated since late 2022. - Mirai Botnet Variant Targets DVR Devices with CVE-2024-3721
Kaspersky observed a Mirai variant exploiting CVE-2024-3721 command injection in TBK DVR devices through malicious POST requests that download ARM32 binaries. The variant features RC4 encryption, anti-VM checks for VMware/QEMU processes, and directory verification.
The infections seem to concentrate on China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, with 50,000+ vulnerable devices exposed online. The bot conducts DDoS attacks and doesn’t persist after restarts; immediate patching and factory resets are recommended. - Skeleton Spider’s Trusted Cloud Malware Delivery
DomainTools identified FIN6/Skeleton Spider using AWS infrastructure to deliver more_eggs malware through fake job applicant phishing. Attackers initiate contact on LinkedIn/Indeed before sending emails with non-clickable URLs, forcing manual typing.
Domains follow firstname-lastname patterns, are GoDaddy-registered, and are hosted on AWS with filtering for IP reputation, OS fingerprinting, and CAPTCHA verification. ZIP payloads contain .LNK files executing JavaScript to download more_eggs, demonstrating FIN6’s evolution from POS breaches to enterprise threats using trusted cloud infrastructure. - Attackers Unleash TeamFiltration Account Takeover Campaign
Security analysts at Proofpoint found that UNK_SneakyStrike has been leveraging TeamFiltration pentesting framework to compromise 80,000+ Entra ID accounts across 100 organizations since December 2024. Attackers exploit TeamFiltration’s Teams API enumeration, password spraying from rotating AWS regions, and OAuth family refresh tokens to access Teams, OneDrive, and Outlook.
Detection indicators include an outdated Teams user agent (Teams/1.3.00.30866), incompatible device access attempts, and targeting of preconfigured OAuth client IDs. The campaign operates in bursts from AWS infrastructure primarily in the US (42%), Ireland (11%), and the UK (8%). - 20,000 Malicious IPs and Domains Taken Down in INTERPOL Infostealer Crackdown
INTERPOL’s Operation Secure coordinated 26 countries to take down 20,000+ malicious IPs/domains linked to infostealers, achieving a 79% takedown rate and seizing 41 servers with 100GB+ data. Vietnamese police arrested 18 suspects, including a leader, with VND 300 million in cash and corporate account materials; Sri Lanka/Nauru arrested 14; Hong Kong identified 117 C2 servers across 89 ISPs.
Authorities notified 216,000+ victims whose credentials were harvested by infostealers targeting browser data, passwords, and crypto wallets.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: