⚡ Weekly Recap: iPhone Spyware, Microsoft 0-Day, TokenBreak Hack, AI Data Leaks and More

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-43200 (Apple), CVE-2025-32711 (Microsoft 365 Copilot), CVE-2025-33053 (Microsoft Windows), CVE-2025-47110 (Adobe Commerce and Magento Open Source), CVE-2025-43697, CVE-2025-43698, CVE-2025-43699, CVE-2025-43700, CVE-2025-43701 (Salesforce), CVE-2025-24016 (Wazuh), CVE-2025-5484, CVE-2025-5485 (SinoTrack), CVE-2025-31022 (PayU CommercePro plugin), CVE-2025-3835 (ManageEngine Exchange Reporter Plus), CVE-2025-42989 (SAP NetWeaver), CVE-2025-5353, CVE-2025-22463, CVE-2025-22455 (Ivanti Workspace Control), CVE-2025-5958 (Google Chrome), CVE-2025-3052 (DT Research DTBios and BiosFlashShell), CVE-2025-2884 (TCG TPM2.0 reference implementation), CVE-2025-26521 (Apache CloudStack), CVE-2025-47950 (CoreDNS), CVE-2025-4230, CVE-2025-4232 (Palo Alto Networks PAN-OS), CVE-2025-4278, CVE-2025-2254, CVE-2025-5121, CVE-2025-0673 (GitLab), CVE-2025-47934 (OpenPGP.js), CVE-2025-49219, CVE-2025-49220 (Trend Micro Apex Central), CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217 (Trend Micro Endpoint Encryption PolicyServer), CVE-2025-4922 (HashiCorp Nomad), CVE-2025-36631, CVE-2025-36632, CVE-2025-36633 (Tenable Agent), CVE-2025-33108 (IBM Backup, Recovery, and Media Services), CVE-2025-6029 (KIA-branded Aftermarket Generic Smart Keyless Entry System), and a patch bypass for CVE-2024-41713 (Mitel MiCollab).

📰 Around the Cyber World

• Kazakh and Singapore Authorities Disrupt Criminal Networks — Kazakh authorities said they dismantled a network that was using Telegram to illegally sell citizens’ personal data extracted from government databases. More than 140 suspects were arrested in connection with the scheme, including business owners and alleged administrators of Telegram channels used to peddle the stolen information, according to officials. If convicted, the suspects could face up to five years in prison and a fine. The development came as the Singapore Police Force (SPF), in partnership with authorities from Hong Kong, Macao, Malaysia, Maldives, South Korea, and Thailand, announced the arrests of 1,800 subjects between April 28 and May 28 for their involvement in various online scams. The cross-border anti-scam initiative has been codenamed Operation FRONTIER+. “The subjects, aged between 14 and 81, are believed to be involved in more than 9,200 scam cases, comprising mainly government official impersonation scams, investment scams, rental scams, internet love scams, friend impersonation scams, job scams, and e-commerce scams, where victims reportedly lost over S$289 million (approximately USD225 million),” the SPF said. “More than 32,600 bank accounts suspected to be linked to scams were detected and frozen by the participating law enforcement agencies, with more than S$26.2 million (approximately USD20 million) seized in these bank accounts.” Singapore officials said they arrested 106 people locally who were responsible for 1,300 scams that netted them about $30 million.
• Microsoft to Block .library-ms and .search-ms File Types in Outlook — Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month, to include .library-ms and .search-ms file types. Both file types have been repeatedly exploited by bad actors in phishing and malware attacks. “The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to open or download them in Outlook Web or the New Outlook for Windows,” Microsoft said.
• Meta and Yandex Caught Using Tracking Code to Leak Unique Identifiers to Installed Native Apps on Android — Meta and Yandex misused Android’s localhost ports to stealthily pass tracking data from mobile browsers into native apps like Facebook, Instagram, and Yandex services. This behavior allowed them to bypass browser sandboxing and Android’s permission system, likely making it possible to attach persistent identifiers to detailed browsing histories. The tracking worked even in private browsing modes across major browsers like Chrome and Firefox. Put differently, the loophole lets the apps detect any websites that Android device users visit and integrate the tracking scripts, and gather web cookie data via the device’s loopback interface. It takes advantage of the fact that the Android operating system allows any installed app with the INTERNET permission to open a listening socket on localhost (127.0.0.1) and browsers running on the same device can also access this interface without user consent or platform mediation. This opens the door to a scenario where JavaScript embedded on web pages can communicate with native Android apps and share identifiers and browsing habits over standard Web APIs. Evidence of Meta using the technique first emerged in September 2024, but Yandex is said to have adopted the technique in February 2017. Meta Pixel is embedded on over 6 million websites, while Yandex Metrica is present on close to 3 million websites. “These native Android apps receive browsers’ metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites,” a group of academics from IMDEA Networks, Radboud University, and KU Leuven said. “These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.” As of June 3, 2025, the Meta/Facebook Pixel script is no longer sending any packets or requests to localhost, and the code responsible for sending _fbp cookie has been removed. Yandex claimed the feature in question did not collect any sensitive information and was solely meant to improve personalization. However, it has discontinued its use, citing privacy concerns. Google and Mozilla have released countermeasures to plug the eavesdropping scheme.
• Replay Attacks as a Way to Bypass Deepfake Detection — New research has found that replay attacks are an effective method to bypass deepfake detection. “By playing and re-recording deepfake audio through various speakers and microphones, we make spoofed samples appear authentic to the detection model,” a team of researchers said. The development heralds new cyber risks as voice cloning technology has become a major driver of vishing attacks, allowing attackers to use artificial intelligence (AI) tools to generate synthetic audio that impersonate executives or IT personnel in an effort to gain privileged access to corporate systems.
• Linux Malware Families Receive Steady Code Updates — A new analysis of known Linux malware such as NoodleRAT, Winnti, SSHdInjector, Pygmy Goat, and AcidRain has found that “they had at least two significant code updates within the last year, meaning threat actors are actively updating and supporting them,” Palo Alto Networks unit 42 said. “Additionally, each of the malware strains accounted for at least 20 unique sightings of samples in the wild over the last year. This means that threat actors are actively using them.” The activities indicate that these malware families are highly likely to be used in future attacks aimed at cloud environments.
• Microsoft Defender Flaw Disclosed — Cybersecurity researchers have detailed a now-patched security flaw in Microsoft Defender for Identity that allows an unauthorized attacker to perform spoofing over an adjacent network by taking advantage of an improper authentication bug. The vulnerability, tracked as CVE-2025-26685 (CVSS score: 6.5), was patched by Microsoft in May 2025. NetSPI, which discovered and reported the flaw, said the issue “abused the al Movement Paths (LMPs) feature and allowed an unauthenticated attacker on the local network to coerce and capture the Net-NTLM hash of the associated Directory Service Account (DSA), under specific conditions.” Once the Net-NTLM hash is captured, it can be taken offline for password cracking using tools like Hashcat or exploited in conjunction with other vulnerabilities to elevate privileges to the DSA account and obtain a foothold in the Active Directory environment.
• Apple Updates Passwords App with New Features — Apple has previewed new features in its Passwords app with iOS 26 and macOS 26 Tahoe that allow users to view the complete version history for stored logins, including the timestamps when a particular password was saved or changed. Another useful addition is the ability to import and export passkeys between participating credential manager apps across iOS, iPadOS, macOS, and visionOS 26. “This user-initiated process, secured by local authentication like Face ID, reduces the risk of credential leaks,” Apple said. “The transfer uses a standardized data schema developed by the FIDO Alliance, ensuring compatibility between apps.” A similar feature is already in the works for Google Password Manager. Last October, the FIDO Alliance unveiled the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) to facilitate interoperability.
• CyberEYE RAT Exposed — Cybersecurity researchers have shed light on the inner workings of CyberEYE RAT (aka TelegramRAT, a modular, .NET-based trojan that provides surveillance and data theft capabilities. Its various modules harvest browser history and passwords, Wi-Fi passwords, gaming profiles, files matching configured extensions, FileZilla FPT credentials, and session data from applications like Telegram and Discord. “Its use of Telegram for Command and Control (C2) eliminates the need for attackers to maintain their own infrastructure, making it more evasive and accessible,” CYFIRMA said. “The malware is deployed through a builder GUI that allows attackers to customize payloads by injecting credentials, modifying metadata, and bundling features such as keyloggers, file grabbers, clipboard hijackers, and persistence mechanisms.” The malware also acts as a clipper to redirect cryptocurrency transactions and employs defense evasion techniques by disabling Windows Defender through PowerShell and registry manipulations.
• WhatsApp Joins Apple’s Encryption Fight With U.K. — Meta-owned WhatsApp said it’s backing Apple in its legal fight against the U.K. Home Office’s demands for backdoor access to encrypted iCloud data worldwide under the Investigatory Powers Act. The move, the company told BBC, “could set a dangerous precedent” by “emboldening” other nations to put forth similar requests to break encryption. In response to the government notice, Apple pulled the Advanced Data Protection (ADP) feature for iCloud from U.K. users’ devices and took legal action to appeal to the Investigatory Powers Tribunal to overturn the secret Technical Capability Notice (TCN) issued by the Home Office. In April 2025, the tribunal ruled the details of the legal row cannot be kept secret. The existence of the TCN was first reported by The Washington Post in January. Governments across the U.S., U.K., and the European Union (E.U.) have sought to push back against end-to-end encryption, arguing it enables criminals, terrorists, and sex offenders to conceal illicit activity. Europol, in its 2025 Internet Organised Crime Threat Assessment (IOCTA) released last week, said: “While encryption protects users’ privacy, the criminal abuse of end-to-end encrypted (E2EE) apps is increasingly hampering investigations. Cybercriminals hide behind anonymity while coordinating sales of stolen data, often with no visibility for investigators.”
• DanaBot C2 Server Suffers From DanaBleed — Last month, a coordinated law enforcement operation felled DanaBot, a Delphi malware that allowed its operators to remotely commandeer the infected machines, steal data, and deliver additional payloads like ransomware. According to Zscaler ThreatLabz, a bug introduced in its C2 server in June 2022 inadvertently caused it to “leak snippets of its process memory in responses to infected victims,” giving more visibility into the malware. The leaked information included threat actor usernames, threat actor IP addresses, backend C2 server IP addresses and domains, infection and exfiltration statistics, malware version updates, private cryptographic keys, victim IP addresses, victim credentials, and other exfiltrated victim data. The June 2022 update introduced a new C2 protocol to exchange command data and responses. “The memory leak allowed up to 1,792 bytes per C2 server response to be exposed,” Zscaler said. “The content of the leaked data was arbitrary and depended on the code being executed and the data being manipulated in the C2 server process at a given time.”
• Lures for OpenAI Sora and DeepSeek Lead to Malware — A bogus site impersonating DeepSeek (“deepseek-platform[.]com”) is distributing installers for a malware called BrowserVenom, a Windows implant that reconfigures Chromium- and Gecko-based browsing instances to force traffic through a proxy controlled by the threat actors by adding a hard-coded proxy server address. “This enables them to sniff sensitive data and monitor the victim’s browsing activity while decrypting their traffic,” Kaspersky said. The phishing sites are promoted in the search results via Google Ads when users search for “deepseek r1.” The installer is designed to run a PowerShell command that retrieves the malware from an external server. The attacks are characterized by the use of CAPTCHA challenges to ward off bots. To date, BrowserVenom has infected “multiple” computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The disclosure comes as phony installers for OpenAI Sora have been found to distribute a Windows information stealer dubbed SoraAI.lnk that’s hosted on GitHub. The GitHub account hosting the malware is no longer accessible.
• Cyber Partisans Targets Belarus and Russia — A Belarusian hacktivist group called Cyber Partisans has been observed targeting industrial enterprises and government agencies in Russia and Belarus with a backdoor known as Vasilek that uses Telegram for C2 and data exfiltration. The phishing attacks are notable for the deployment of another backdoor called DNSCat2 that enables attackers to remotely manage an infected system and a wiper referred to as Pryanik. “The first thing that draws attention is that the viper acts as a logic bomb: its functionality is activated on a certain date and time,” Kaspersky said. Other tools used as part of the attacks include Gost for proxying and tunneling network traffic, and Evlx for removing events from Windows event logs. In a statement to Recorded Future News, the collective stated that Kaspersky’s attention to its operations may have stemmed from the fact that the attacks relied on the company’s products and had failed to prevent intrusions. “Such attacks make Kaspersky’s technologies appear outdated, and perhaps this is why they are trying to justify themselves or counter us with these publications,” the group was quoted as saying.
• 2 ViLE Members Sentenced to Prison — The U.S. Department of Justice (DoJ) announced the sentencing of two members of the ViLE hacking group – Sagar Steven Singh, 21, and Nicholas Ceraolo, 27, – nearly a year after they pleaded guilty to aggravated identity theft and computer hacking crimes. Singh and Ceraolo have been sentenced to 27 and 25 months’ imprisonment respectively for conspiracy to commit computer intrusion and aggravated identity theft. “Singh and Ceraolo unlawfully used a law enforcement officer’s stolen password to access a nonpublic, password-protected web portal (the ‘Portal’) maintained by a U.S. federal law enforcement agency for the purpose of sharing intelligence with state and local law enforcement,” the DoJ said. “The defendants used their access to the Portal to extort their victims.” The sentencing came as five men pleaded guilty for their involvement in laundering more than $36.9 million from victims of an international digital asset investment scam conspiracy (aka romance baiting) that was carried out from scam centers in Cambodia. The defendants include Joseph Wong, 33, of Alhambra, California; Yicheng Zhang, 39, of China; Jose Somarriba, 55, of Los Angeles; Shengsheng He, 39, of La Puente, California; and Jingliang Su, 44, of China and Turkey. They are said to be “part of an international criminal network that induced U.S. victims, believing they were investing in digital assets, to transfer funds to accounts controlled by co-conspirators and that laundered victim money through U.S. shell companies, international bank accounts, and digital asset wallets.” So far, eight people have pleaded guilty to participating in the criminal scheme, counting Chinese nationals Daren Li and Yicheng Zhang.
• Kimsuky Targets Facebook, email, and Telegram Users in South Korea — The North Korean-affiliated threat actor known as Kimusky targeted Facebook, email, and Telegram users in its southern counterpart between March and April 2025 as part of a campaign codenamed Triple Combo. “The threat actor used an account named ‘Transitional Justice Mission’ to send friend requests and direct messages to multiple individuals involved in North Korea-related activities,” Genians said. “The attacker also hijacked another Facebook account for their operation.” Subsequently, the attackers attempted to approach the targets via email by using the email address obtained through Facebook Messenger conversations. Alternately, the Kimsuky actors leveraged the victims’ phone numbers to contact them again via Telegram. Regardless of the channel used, these trust-building exercises triggered a multi-stage infection sequence to deliver a known malware called AppleSeed.

🎥 Cybersecurity Webinars

• AI Agents Are Leaking Data — Learn How to Fix It Fast ➝ AI tools often connect to platforms like Google Drive and SharePoint—but without the right settings, they can accidentally expose sensitive data. In this webinar, experts from Sentra will show simple, real-world ways these leaks happen and how to stop them. If you’re using AI in your business, don’t miss this fast, clear guide to securing it before something goes wrong.
• They’re Faking Your Brand—Stop AI Impersonation Before It Spreads ➝ AI-driven attackers are mimicking brands, execs, and employees in real-time. Join this session to see how Doppel detects and blocks impersonation across email, social media, and deepfakes—before damage is done. Fast, adaptive protection for your reputation.

🔧 Cybersecurity Tools

• CRADLE ➝ It is an open-source web platform built for cyber threat intelligence (CTI) analysts. It simplifies threat investigation workflows by enabling teams to collaborate in real-time, map relationships between threat actors and indicators, and generate detailed intelligence reports. Designed with modular architecture, CRADLE is easy to extend and runs locally using Docker for quick setup and testing.
• Newtowner ➝ It is a security testing tool that helps identify weaknesses in network trust boundaries by simulating traffic from different global cloud providers and CI/CD environments. It allows you to detect misconfigurations—such as overly permissive access from specific data centers—by comparing HTTP responses from multiple sources like GitHub Actions, AWS, and EC2. This is especially useful in modern cloud setups where implicit trust between internal services can lead to serious security gaps.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

4 Hidden Ways You’re Tracked (and How to Fight Back) ➝ Most people know about cookies and ads, but companies now use sneaky technical tricks to track you—even if you’re using a VPN, private mode, or a hardened browser. One method gaining attention is localhost tracking: apps like Facebook and Instagram silently run a web server inside your phone. When you visit a website with a hidden code, it can ping this server to see if the app is installed—leaking your activity back to the app, without your permission.

Another trick is port probing. Some websites scan your device to check if developer tools or apps are running on certain ports (like 3000 or 9222). This reveals what software you use or whether you’re running a specific company’s tool—leaking clues about your job, device, or activity. Sites may even detect browser extensions this way.

On mobile, some websites silently test if apps like Twitter, PayPal, or your banking app are installed by triggering invisible deep links. If the app opens or responds, they learn what apps you use. That’s often used for profiling or targeted phishing. Also, browser cache abuse (using things like ETags or service workers) can fingerprint your browser—even across private tabs—keeping you identifiable even when you think you’re clean.

How to protect yourself:

• Uninstall apps you rarely use, especially ones from big platforms.
• Use browsers like Firefox with uBlock Origin and enable “Block outsider intrusion into LAN.”
• On mobile, use hardened browsers like Bromite or Firefox Focus, and block background data for apps using tools like NetGuard.
• Clear browser storage often, and use temporary containers or incognito containers to isolate sessions.

These aren’t tinfoil hat ideas—they’re real-world methods used by major tech firms and trackers today. Staying private means going beyond ad blockers and learning how the web really works behind the scenes.

Conclusion

What goes undetected often isn’t invisible—it’s just misclassified, minimized, or misunderstood. Human error isn’t always a technical failure. Sometimes it’s a story we tell ourselves about what shouldn’t happen.

Review your recent alerts. Which ones were ignored because they didn’t “feel right” for the threat profile? The cost of dismissal is rising—especially when adversaries bank on it.