Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected?
Some of the most dangerous moves are hidden in plain sight. It’s worth asking: what patterns are we missing, and what signals are we ignoring because they don’t match old playbooks?
This week’s reports bring those quiet signals into focus—from attacks that bypassed MFA using trusted tools, to supply chain compromises hiding behind everyday interfaces. Here’s what stood out across the cybersecurity landscape:
⚡ Threat of the Week
Cloudflare Blocks Massive 7.3 Tbps DDoS Attack — Cloudflare said it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which hit a peak of 7.3 terabits per second (Tbps). The attack, the company said, targeted an unnamed hosting provider and delivered 37.4 terabytes in 45 seconds. It originated from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. The top sources of attack traffic included Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
🔔 Top News
- Patched Google Chrome Flaw Exploited by TaxOff — A threat actor known as TaxOff exploited CVE-2025-2783, a now-patched security flaw in Google Chrome, as a zero-day in mid-March 2025 to target Russian organizations with a backdoor codenamed Trinper. The attacks share overlaps with another threat activity cluster dubbed Team46, which is believed to have been active since early 2024 and has leveraged another zero-day vulnerability in Yandex Browser for Windows in the past to deliver unspecified payloads.
- North Korea Employs Deepfakes in New Fake Zoom Scam — Threat actors with ties to North Korea targeted an unnamed employee of a cryptocurrency foundation with deceptive Zoom calls featuring deepfaked company executives to trick them into downloading malware. Cybersecurity company Huntress, which responded to the incident, said it discovered eight distinct malicious binaries on the victim host that are capable of running commands, dropping additional payloads, logging keystrokes, and stealing cryptocurrency-related files.
- Russian Threat Actors Use App Passwords to Bypass MFA — Russian threat actors tracked as UNC6293 have been found to bypass multi-factor authentication (MFA) and access Gmail accounts of targeted individuals by leveraging app-specific passwords in skilfully-crafted social engineering attacks that impersonate U.S. Department of State officials. The attacks, which started in at least April and continued through the beginning of June, are notable for their efforts to build trust with victims over weeks, instead of inducing a false sense of urgency and rushing them into taking unintended actions. The end goal of the attacks is to persuade the recipients to create and share app-specific passwords that would provide access to their Gmail accounts.
- Godfather Trojan Creates Sandbox on Infected Android Devices — A new version of the Godfather banking trojan has been found to create isolated virtual environments on Android devices to steal account data and transactions from legitimate banking apps. While the malware has been active since June 2021, the latest iteration takes its information-stealing capabilities to a whole new level through the deployment of a malicious app containing an embedded virtualization framework on infected devices, which is used to run copies of the targeted applications. Thus, when a user launches a banking app, they are redirected to the virtualized instance, from where sensitive data is stolen. The malware also displays a fake lock screen overlay to trick the victim into entering their PIN.
- Israel-Iran Conflict Sparks Surge in Cyber Warfare — The Israel-Iran conflict that started with Israeli attacks on Iranian nuclear and military targets on June 13 has triggered a wider cyber conflict in the region, with hacktivist groups and ideologically motivated actors targeting both nations. Notable among them, the pro-Israel threat group known as Predatory Sparrow breached Bank Sepah and Nobitex, claiming they have been used to circumvent international sanctions. Predatory Sparrow has been publicly linked to attacks targeting an Iranian steel production facility in 2022 and for causing outages at gas station payment systems across the country in 2021. Furthermore, Iran’s state-owned TV broadcaster was hacked to interrupt regular programming and air videos calling for street protests against the Iranian government. Nearly three dozen pro-Iranian groups are estimated to have launched coordinated attacks against Israeli infrastructure. These acts represent another escalation of the use of cyber attacks during (and as a precursor to) geopolitical conflicts, while also underscoring the growing importance of cyber-augmented warfare.
️🔥 Trending CVEs
Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-34509, CVE-2025-34510, CVE-2025-34511 (Sitecore XP), CVE-2025-6018, CVE-2025-6019, CVE-2025-6020 (Linux), CVE-2025-23121 (Veeam Backup & Replication), CVE-2025-3600 (Progress Telerik UI for AJAX), CVE-2025-3464 (ASUS Armoury Crate), CVE-2025-5309 (BeyondTrust Remote Support and Privileged Remote Access), CVE-2025-5349, CVE-2025-5777 (Citrix ADC and Gateway), CVE-2025-5071 (AI Engine plugin), CVE-2025-4322 (Motors theme), CVE-2025-1087 (Insomnia API Client), CVE-2025-20260 (ClamAV), CVE-2025-32896 (Apache SeaTunnel), CVE-2025-50054, and CVE-2025-1907 (Instantel Micromate).
📰 Around the Cyber World
- Prometei Botnet Resurgence in March 2025 — The botnet known as Prometei has been observed in renewed attacks in March 2025, while also incorporating new features. “The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion,” Palo Alto Networks Unit 42 said. Prometei, first spotted in July 2020, is capable of striking both Windows and Linux systems for cryptocurrency mining, credential theft, and data exfiltration. It can also deploy additional malware payloads. In recent years, it has exploited Windows systems unpatched against ProxyLogon flaws. As of March 2023, it was estimated to have compromised more than 10,000 systems since November 2022. “This modular design makes Prometei highly adaptable, as individual components can be updated or replaced without affecting the overall botnet functionality,” Unit 42 said.
- BitoPro Hack Linked to Lazarus Group — Taiwanese cryptocurrency exchange BitoPro claimed the North Korean hacking group Lazarus is behind a cyber attack that led to the theft of $11,000,000 worth of cryptocurrency on May 9, 2025. “The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges. These attacks are attributed to the North Korean hacking organization ‘Lazarus Group’,” the company said. BitPro also revealed the attackers conducted a social engineering attack on a team member responsible for cloud operations to implant malware and remotely access their computer, while evading security monitoring. “They subsequently hijacked AWS Session Tokens to bypass Multi-Factor Authentication (MFA),” it added. “From the AWS environment, they delivered commands via a C2 server to discreetly transfer malicious scripts to the hot wallet host, awaiting an opportunity to launch the attack. After prolonged observation, the hackers specifically targeted the platform during its wallet system upgrade and asset transfer period, simulating normal operational behaviors to launch the attack.” On May 9, the malicious script was executed to transfer cryptocurrency from the hot wallet. BitPro said it shut down its hot wallet system, rotated all cryptographic keys, and isolated and rebuilt affected systems after discovering unusual wallet activity. The heist is the latest to be attributed to the notorious Lazarus Group, which was implicated in the record-breaking $1.5 billion theft from Bybit.
- Microsoft Plans to Clean Up Legacy Drivers — Microsoft said it’s launching a “strategic initiative” to periodically clean up legacy drivers published on Windows Update to reduce security and compatibility risks. “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the Windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” the company said. “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.”
- Mocha Manakin Uses ClickFix to Deliver Node.js Backdoor — A previously undocumented threat actor known as Mocha Manakin has been linked to a new set of attacks that leverage the well-known ClickFix (aka Paste and run or fakeCAPTCHA) as an initial access technique to drop a bespoke Node.js backdoor codenamed NodeInitRAT. “NodeInitRAT allows the adversary to establish persistence and perform reconnaissance activities, such as enumerating principal names and gathering domain details,” Red Canary said. “NodeInitRAT communicates with adversary-controlled servers over HTTP, often through Cloudflare tunnels acting as intermediary infrastructure.” The backdoor comes with capabilities to execute arbitrary commands and deploy additional payloads on compromised systems. The threat actor was first observed by the cybersecurity company in January 2025. It’s assessed that the backdoor overlaps with a Node.js executable used in Interlock ransomware attacks.
- China Targets Russia to Seek War Secrets — State-sponsored hackers from China have repeatedly broken into Russian companies and government agencies to likely look for military secrets since the country’s invasion of Ukraine in 2022. According to The New York Times, intrusions accelerated in May 2022, with one group known as Sanyo impersonating the email addresses of a major Russian engineering firm to gather information on nuclear submarines. In a classified document prepared by the domestic security agency, Russia is said to have claimed that “China is seeking Russian defense expertise and technology and is trying to learn from Russia’s military experience in Ukraine,” calling China an “enemy.” Another threat actor of interest is Mustang Panda, which has expanded its scope to target governmental organizations in Russia and the European Union post the Russo-Ukrainian war.
- CoinMarketCap Website Hacked With Fake “Verify Wallet” Pop-up — CoinMarketCap (CMC), a popular platform for cryptocurrency tracking, disclosed that its website was hacked to serve a “malicious pop-up prompting users to ‘Verify Wallet'” with the goal of draining users digital assets. While it’s currently not clear how the attackers carried out the attack, the company said it has since identified and removed the malicious code from its site. According to Coinspect Security, the drainer was injected via CoinMarketCap’s rotating “Doodles” feature that’s served from the domain api.coinmarketcap[.]com. “CoinMarketCap’s backend API serves manipulated JSON data that injects malicious JavaScript through the rotating ‘doodles’ feature,” the company said. “Not all users see it, since the doodle shown varies per visit. The injected wallet drainer always loads if you visit /doodles/.” Specifically, this involves loading the drainer from the “CoinmarketCLAP” doodle’s JSON file, exploiting a code injection vulnerability that exploits Lottie animation JSON files to inject arbitrary JavaScript from an external site named static.cdnkit[.]io. “On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage,” CoinMarketCap Post navigation
