WEEKLY TOP TEN: June 23, 2025, 16:00 GMT
- Cloudflare Blocked a Record 7.3 Tbps DDoS Attack
In mid-May 2025, Cloudflare successfully mitigated what it describes as the largest DDoS attack in history. It reached a peak of 7.3 Tbps, surpassing its own previous record of 6.5 Tbps.
The DDoS attack was launched at a hosting provider using Cloudflare’s Magic Transit service, delivering 37.4 TB of data in just 45 seconds, targeting tens of thousands of destination ports on a single IP, originating from over 122,000 source IPs across 5,433 networks in 161 countries; nearly half of the traffic was traced to Brazil and Vietnam. - New Evolution of Android Malware “Godfather” Employs Virtualization Techniques
The latest evolution of the Android malware “Godfather” now deploys a built-in virtualization layer on infected devices to run legitimate banking, crypto, and e-commerce apps inside a concealed container.
When users open a target app, the malware intercepts and reroutes its launch into a “StubActivity,” enabling the user to interact with a genuine UI while Godfather secretly logs credentials, PINs, touch inputs, and backend responses in real time. It can also simulate overlays like fake lock or update screens while operators remotely trigger payments, transfers, or UI navigation. - Threat Group Banana Squad’s New Campaign Trojanized Github Repositories
Cybersecurity researchers have uncovered a campaign by the threat group “Banana Squad,” which involved the creation of 67 trojanized GitHub repositories offering Python-based hacking tools and video game cheats, employing stealth tactics to sneak credential-stealing backdoors past casual reviews.
Originating from domains like 1312services[.]ru and dieserbenni[.]ru, the campaign marks a shift from earlier attacks on package registries (e.g., PyPI) to more subtle, repository-based infiltration methods, highlighting how open-source supply-chain threats are evolving. - Prominent Journalists Infected by Paragon Commercial Spyware
Citizen Lab researchers have found that Paragon Solutions’ Graphite spyware has been used in covert “zero-click” attacks targeting at least three prominent journalists from Italy and Europe by exploiting vulnerabilities in platforms like WhatsApp and iMessage, enabling full device compromise without user interaction. The revelations sparked outrage, prompting Italy to terminate its contracts with Paragon despite official claims of legal use for counterterrorism and organized crime, while Meta and oversight bodies have criticized the incident as a dangerous precedent for mercenary spyware misuse in democratic societies. - Critical Vulnerability Discovered in libblockdev
A critical local-privilege-escalation vulnerability was found in libblockdev (CVE‑2025‑6019), allowing any user with the default “allow_active” permission to escalate to root on most major distributions using the udisks daemon. This flaw can be combined with a related PAM setup issue on SUSE systems, allowing attackers to quickly and easily take full control of the system. Discovered by the Qualys Threat Research Unit, both proof-of-concept exploits have been demonstrated, and admins are strongly urged to apply the patches immediately. - Initial Access Broker of Ransomware group Ryuk Extradited to the U.S.
A 33-year-old man, identified as an “initial access broker” for the notorious Ryuk ransomware group, was apprehended in April 2025 in Kyiv. The arrest was requested by the FBI, and he was extradited to the U.S. on June 18 to face charges related to facilitating the group’s global ransomware operations—which collectively extorted over $100 million from more than 2,400 victims across at least 70 countries.
According to Ukrainian authorities, he was responsible for scouting network vulnerabilities, then passing access to affiliates who stole data and deployed various ransomware strains before Ryuk was folded into Conti. During the arrest, authorities seized over $600,000 in cryptocurrency, nine luxury vehicles, and multiple real estate assets. - Hacking Group BlueNoroff Used Deepfake Zoom Calls to Spread MacOS Malware
North Korea’s BlueNoroff hacking group used deepfake videos of company executives in fake Zoom calls to trick cryptocurrency firm employees into installing malicious macOS malware. The attackers contacted victims via Telegram, led them to a fake Zoom meeting, and prompted them to download a harmful AppleScript disguised as a Zoom extension, which installed malware enabling persistent access and further exploitation. This tactic reflects BlueNoroff’s evolving use of social engineering and advanced techniques targeting crypto companies. - Record 16 Billion Credentials Leaked on Hacking Forum
Cybernews researchers have uncovered what may be the largest credential leak ever: 16 billion login records across 30 newly discovered datasets. The records are harvested from stealer malware, credential stuffing attacks, and one instance of an old breach, all compiled into a text file named “rockyou2024.txt” uploaded to a hacking forum by a user with the alias “ObamaCare.” Their credentials cover a wide variety of services, everything from Google, Apple, Facebook, Telegram, and GitHub to government services. - Anubis RaaS New Wipe Mode Feature
Anubis, a newcomer in the ransomware-as-a-service landscape, has enhanced its toolkit with a “wipe mode” feature allowing affiliates not only to encrypt and steal data but also to permanently erase victim files by overwriting their contents, leaving them unrecoverable even if a ransom is paid. This addition escalates pressure on organizations unwilling to negotiate, combining typical double-extortion tactics with irreversible data destruction to amplify the threat and urgency of attacks. - Scania confirms Data Breach in Insurance Claim System
Scania confirmed that a cybercriminal used stolen credentials from an external IT partner to access its insurance claims system on May 28–29, 2025, stealing thousands of insurance claim documents.
The attackers then attempted extortion by sending emails from a ProtonMail account to Scania employees demanding payment to prevent full disclosure and posting stolen data for sale via a threat actor named “hensi.” Scania shut down the affected application, notified privacy authorities, and says the impact appears limited for now
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: