⚡ Weekly Recap: Chrome 0-Day, Ivanti Exploits, MacOS Stealers, Crypto Heists and More

This week’s list includes — CVE-2025-32462, CVE-2025-32463 (Sudo), CVE-2025-20309 (Cisco Unified CM and Unified CM SME), CVE-2025-49596 (Anthropic MCP Inspector), CVE-2025-6554 (Google Chrome), CVE-2025-5622, CVE-2025-5623, CVE-2025-5624, CVE-2025-5630 (D-Link DIR-816 routers), CVE-2025-49151, CVE-2025-49152, CVE-2025-49153 (Microsens NMP Web+), CVE-2025-6463 (Forminator plugin), CVE-2025-36630 (Tenable Nessus), CVE-2025-52891 (ModSecurity Web Application Firewall), CVE-2025-48927, CVE-2025-48928 (TeleMessage TM SGNL), CVE-2024-58248 (nopCommerce), CVE-2025-32897 (Apache Seata), CVE-2025-47812 (Wing FTP), CVE-2025-4404 (FreeIPA), CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192 (Grafana), CVE-2025-34067 (Hikvision Integrated Security Management Platform), CVE-2025-1735, CVE-2025-6491 (PHP), CVE-2025-53367 (DjVuLibre), and CVE-2025-49826 (Next.js).

📰 Around the Cyber World

• Apple and Google App Stores Offer China-linked VPN Apps — Both Apple’s and Google’s online stores offer free virtual private network (VPN) apps that have undisclosed ties to Chinese companies, likely posing a privacy risk. Thirteen virtual private network (VPN) apps on Apple’s App Store and 11 apps on Google’s Play Store (seven common to both) have ties to Chinese companies, the Tech Transparency Project said. “VPNs are of particular concern because anyone using a VPN has the entirety of their online activity routed through that application,” Katie Paul, the TTP’s director, told NBC News. “When it comes to Chinese-owned VPNs, that means this data can be turned over to the Chinese government based on China’s state laws.”
• Scattered Spider Uses Teleport for Persistence — The notorious cybercrime group known as Scattered Spider has leveraged a novel persistence mechanism that involves the use of Teleport, an infrastructure access platform not previously associated with the threat actor. The findings demonstrate how bad actors are weaponizing legitimate administrative tools to maintain persistent access to compromised networks. “After obtaining admin-level cloud access, the attacker installed a Teleport agent on compromised Amazon EC2 servers to establish a persistent remote command-and-control (C2) channel,” Rapid7 said. “Teleport is a legitimate open-source tool for managing remote infrastructure, but here it was co-opted for malicious purposes. This effectively gave the attacker persistent remote shell access to those cloud servers even if their initial user credentials or VPN access were revoked. The use of Teleport indicates Scattered Spider’s adaptability in using new tools for persistence and command-and-control. By using standard administrative software, they reduce the chance of detection by security tools that might flag custom malware.”
• Linux Servers Targeted by Crypto Miners — Improperly secured Linux servers, especially weak SSH credentials, are being targeted by threat actors to drop cryptocurrency miners and rope them into DDoS botnets. The attacks also lead to the deployment of proxy tools like TinyProxy or Sing-box, as well as allow a threat actor to establish persistence on the hosts. “Attackers can use the infected system as a proxy to conceal themselves in another attack case or sell access rights to the proxy node for criminal profit,” AhnLab said. Another set of attacks has singled out MySQL servers to deliver Gh0st RAT variants, and other payloads like AsyncRAT, Ddostf DDoS botnet, XWorm, HpLoader, and even the legitimate remote control tool Zoho ManageEngine. XWorm has emerged as one of the most versatile and widely distributed remote access trojans in the current threat landscape, exhibiting remarkable adaptability in its delivery mechanisms and establishing itself as a formidable tool in cybercriminals’ toolbox. Recent attacks mounted by a China-linked threat actor have employed trojanized MSI installers posing as WhatsApp to deliver the trojan in attacks targeting users in East and Southeast Asia. “The attack chain involves encrypted shellcode embedded in image files, PowerShell scripts for persistence via scheduled tasks and shellcode loaders,” Broadcom said. “The final payload is a modified XWorm RAT enhanced with functions to detect Telegram installations and report infected systems via Telegram-based mechanisms.”
• Iran IRGC’s Intelligence Group 13 Detailed — The DomainTools Investigations (DTI) team has shed light on a shadowy entity called Intelligence Group 13, a covert cyber strike unit that functions under Iran’s Islamic Revolutionary Guard Corps (IRGC) to facilitate cyber espionage, industrial sabotage, and psychological warfare. Embedded within the Shahid Kaveh Cyber Group, Intelligence Group 13 powers Cyber Av3ngers, a pro-Iranian group that has been attributed to attacks targeting water authorities and SCADA systems in Israel and the U.S. “Whether through direct disruption, pre-positioned malware activation, or narrative defacement and psychological intimidation, the group’s capabilities make it a prime tool for hybrid response, combining deniable technical aggression with symbolic messaging designed to project defiance and psychological impact,” DTI said.
• Open VSX Used to Distribute Malicious VS Code Extensions — Almost 200,000 developers have downloaded two malicious VSCode extensions from the Open VSX Registry. The extensions, both named Solidity Language, scan for existing ConnectWise ScreenConnect remote desktop software, and if present, download and install a malicious version from an attacker-controlled server. The extensions have since been removed from the marketplace. The findings once again illustrate that openness doesn’t necessarily equate to safety. “The very openness that makes Open VSX appealing also introduces risks that the more curated VS Code Marketplace helps mitigate,” Secure Annex’s John Tuckner said.
• New Campaign Distributes Masslogger Malware — Encoded Visual Basic Script (VBE) files likely distributed via phishing emails are being used to deliver a sophisticated variant of Masslogger, a stealer malware that can harvest login details from the Chrome browser, log keystrokes, capture clipboard content, and upload files to a remote server. “Initially, the variant appeared to be a typical script-based threat, but upon deeper analysis, it turned out to be a multi-stage fileless malware that heavily relies on Windows Registry to store and execute its malicious payload,” Seqrite Labs said.
• Western Companies Fail to Take Action on Funnull — Back in May 2025, the U.S. Treasury Department sanctioned Philippines-based Funnull for providing infrastructure to conduct romance baiting scams and for carrying out a supply chain attack on the widely-used Polyfill[.]io JavaScript library. However, a new analysis from Silent Push and cybersecurity journalist Brian Krebs found that many U.S. tech companies still host accounts associated with Funnull’s administrator Liu “Steve” Lizhi, including X, GitHub, LinkedIn, Facebook, Google Groups, Medium, PayPal, WordPress, Hugging Face, Gravatar, Vercel, and Flickr, among others. The Facebook, GitHub, LinkedIn, and PayPal profiles have been suspended or taken down.
• Russia Jails Man to 16 Years Over Pro-Ukrainian Cyber Attacks — Russia has sentenced a man to 16 years in a high-security prison for launching distributed denial-of-service (DDoS) attacks against critical infrastructure in the country. Andrei Smirnov was arrested in 2023 in the Siberian city of Belovo and charged with treason. Russian officials said Smirnov joined Ukraine’s “cyber troops” and launched the attacks at the behest of Ukrainian intelligence services.
• FileFix Gets an Upgrade — Security researcher mrd0x has detailed a variant of FileFix, itself a spin on the popular ClickFix social engineering tactic, that enables the execution of malicious scripts while bypassing the Mark-of-the-Web (MotW) protections in Windows by taking advantage of how web browsers handle saved HTML web pages. “When an HTML page is saved using Ctrl + S or Right-click > ‘Save as’ and either ‘Webpage, Single File’ or ‘Webpage, Complete’ types were selected, then the file downloaded does not have MotW,” the researcher said. “Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml.” The new attack essentially seeks to trick users into saving an HTML page (using Ctrl+S) and renaming it to an HTML Application (HTA) file, causing it to auto-execute embedded commands within JavaScript when launched. In a possible attack scenario, an adversary could design a bogus web page that could prompt users to save backup multi-factor authentication (MFA) codes by pressing Ctrol + S and naming the file as “MfaBackupCodes2025.hta.” The victim is then instructed to open the HTA file to ensure that the codes are stored properly. “The easiest way to prevent this technique from working is to remove mshta.exe from being able to run HTA files,” the researcher pointed out. “This is a good solution unless someone is able to utilize this technique with other file types.”
• Keymous+, a Front for EliteStress? — A hacktivist group known as Keymous+ has emerged as a key player in the cyber landscape, claiming responsibility for over 700 Distributed Denial of Service (DDoS) attacks in 2025 alone. The group, according to Radware, claims it’s made up of “North African hackers,” and their victim list spans government websites, telecom providers in France and India, financial platforms in Morocco and the U.A.E., educational institutions in Denmark, and manufacturing infrastructure in Israel. This seemingly random selection of targets, devoid of a clear ideological agenda or enemies, sets it apart from traditional hacktivist groups. What’s more, the activity appears to be a marketing persona for a DDoS-for-hire service known as EliteStress. The discovery shows Keymous+ likely straddling the boundary between hacktivism and commercial aspirations. It also highlights a new breed of threat actors whose motives are opaque and increasingly driven by profit, offering tools of disruption at the click of a button. The development comes as Intel 471 said it identified two new pro-Kremlin hacktivist groups named TwoNet and the IT Army of Russia. Both are mainly involved in DDoS attacks and surfaced earlier this year, but the latter has also been found recruiting insiders in Ukrainian critical infrastructure organizations.
• Abuse of .es TLD Surges 19x Times — Malicious campaigns launched from .es domains have witnessed a 19x increase from Q4 2024 to Q1 2025, making it the third most common, behind .com and .ru. “This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs),” Cofense said. “These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse.” As of May, 1,373 sub-domains hosted malicious web pages on 447 .es base domains. An interesting finding is that 99 percent of them were hosted on Cloudflare, and most of the phishing pages used a Cloudflare Turnstile CAPTCHA. “While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev, it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints,” the company said.
• Rise of Malicious LNK Files — The weaponization of Windows shortcut (LNK) files for malware distribution has increased by 50%, according to telemetry data gathered by Palo Alto Networks Unit 42, with malicious samples rising from 21,098 in 2023 to 68,392 in 2024. “The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware,” Unit 42 researchers said.

Percentages of system targets for malicious file execution

• FBI Investigates Ransomware Negotiator for Extortion Kickbacks — The U.S. Federal Bureau of Investigation (FBI) is probing a former employee of security firm DigitalMint for allegedly taking a cut from ransomware payments. According to Bloomberg, the employee is said to have assisted the company’s customers in negotiating ransoms during ransomware attacks. But unknown to them, the employee had secret deals with ransomware gangs to take a slice of the ransom the companies ended up paying. DigitalMint said it fired the employee as soon as it heard of the investigation and started notifying its customers.
• Cloudflare Open-Sources Orange Meets — Cloudflare has implemented end-to-end encryption (E2EE) to its video calling app Orange Meets and open-sourced the solution for transparency. The web infrastructure company said the solution is powered by Selective Forwarding Units (SFUs) and uses Messaging Layer Security (MLS) to establish end-to-end encryption for group communication. “To do so, we built a WASM (compiled from Rust) service worker that sets up an MLS group and does stream encryption and decryption, and designed a new joining protocol for groups, called the designated committer algorithm, and formally modeled it in TLA+,” Cloudflare said.
• Russia to Build Database of Known Scammers — The Russian government has announced plans to build a database of known telephone scammers that will include voice samples, phone numbers, and caller IDs. Once the service launches on April 1, 2026, mobile operators in the country are expected to show scam warnings on phone screens for calls coming from known scam numbers. The voice recordings will be shared with law enforcement for possible investigations.
• C4 Bomb to Bypass App-Bound Encryption in Google Chrome — Last year, Google introduced a new security measure called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. While stealers have since found ways to defeat this guardrail, CyberArk has detailed another method dubbed C4 (short for Chrome Cookie Cipher Cracker) Attack, which makes it possible to decrypt the cookies as a low-privileged user. “Furthermore, this technique also allowed us to abuse Google’s new security feature to attack Windows machines and access data that should typically only be available to the privileged SYSTEM user,” security researcher Ari Novick said. The technique essentially employs a padding oracle attack to brute-force the encryption and bypass the SYSTEM-DPAPI, recovering the cookie key. Following responsible disclosure in December 2024, Google has put in place a “partial solution” to remediate the padding oracle attack. But it’s disabled by default.
• Exploit Attempts Target Apache Tomcat and Camel Flaws — Malicious actors are probing for servers running vulnerable versions of Apache Tomcat and Camel that are unpatched against CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891 to achieve remote code execution. Palo Alto Networks said it blocked 125,856 probes/scans/exploit attempts originating from more than 70 countries related to these vulnerabilities in March 2025.
• Let’s Encrypt Begins Issuing Certificates for IP Addresses — Let’s Encrypt has started this month issuing certificates for IP addresses. These certificates are short-lived and valid only for six days – a trend pointing to declining certificate lifespans. Potential scenarios where one might need an IP address certificate include use cases like serving a default page for hosting providers, accessing a website without a domain name, securing DNS over HTTPS (DoH) services, protecting network-attached storage servers, and safeguarding ephemeral connections within cloud hosting infrastructure.
• Google Open-Sources Privacy Tech for Age Verification — As online services increasingly introduce age verification barriers, Google has open-sourced its Zero-Knowledge Proof (ZKP) libraries to help people verify their age without giving up sensitive information. “In layperson’s terms, ZKP makes it possible for people to prove that something about them is true without exchanging any other data,” Google said. “So, for example, a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all.” The ZKP library, called Longfellow ZK, is currently being vetted by independent academic and industry experts. The results of the reviews are expected to be available by August 1, 2025.
• Apple Adds ML-KEM to iOS and macOS 26 — Speaking of cryptographic solutions, Apple is adding post-quantum cryptography support to its operating systems. The upcoming versions of iOS, iPadOS, macOS, and visionOS will support the FIPS 203 (aka ML-KEM) cryptography algorithm by means of a hybrid, quantum-secure key exchange. “The ClientHello message from iOS 26, iPadOS 26, macOS Tahoe 26 and visionOS 26 devices will include X25519MLKEM768 in the supported_groups extension, along with a corresponding key share in the key_share extension,” Apple said. “Servers can select X25519MLKEM768 if they support it, or use another group advertised in the ClientHello message.”
• Spain Arrests 2 for Leaking Personal Data of Government Officials — Spanish police arrested a 19-year-old computer science student and an accomplice for allegedly leaking the personal data of senior government officials and journalists. The main suspect, identified as Yoel OQ, was detained at his parents’ home on the island of Gran Canaria. His alleged accomplice, Cristian Ezequiel SM, was also arrested, according to local media citing law enforcement sources. The duo has been described as a “serious threat to national security.”
• AT&T Launches Wireless Account Lock to Prevent Sim Swapping Attacks — U.S. mobile carrier AT&T has launched a new feature to lock accounts and prevent SIM swapping attacks. Wireless Account Lock can be enabled exclusively via AT&T’s myAT&T app. Once enabled, it blocks any changes to a customer’s billing details or wireless number transfers until it’s disabled again. Similar features already exist on other carriers like T-Mobile, Verizon, and Google Fi. “The lock forces an extra step before important account changes can be made. It prevents anyone from buying a device on the account, for example, or conducting a SIM swap – moving a phone number to a SIM in a different device,” AT&T said.
• Pakistani Freelancers Behind Websites That Deploy Stealers — A group of Pakistani freelance web developers is behind a network of more than 300 websites advertising cracked software that infects users with information-stealing malware, per Intrinsec. It’s believed that these websites have been built for a third party and that the group incorporates search engine optimization techniques and Google Ads to maximize visibility and victim engagement. “Additionally, little can be done to prosecute Pakistani individuals behind these malicious activities as there is no extradition treaty between the US and Pakistan,” the company said. “Servers and domains can be seized but it is only a temporary measure until new ones are rebuilt.” The development coincides with the emergence of new stealer variants like Amatera Stealer (ACR Stealer) and Odyssey Stealer (Poseidon Stealer), becoming the latest entrants in a crowded field of infostealer malware.
• Spain Details 21 Suspects in Connection with Investment Scam — Spanish authorities have detained 21 suspects on charges of running an investment scam ring. The group operated call centers in Barcelona and used social media ads to promote fake investment platforms and trick hundreds of victims across the country into investing their funds in them, netting the gang over €10 million ($11.8 million). In late June 2025, U.S. authorities extradited a Ghanaian national, Joseph Kwadwo Badu Boateng, to face charges related to a romance and inheritance scheme targeting the elderly from 2013 through March 2023. Last week, a 41-year-old Nigerian man named Ehis Lawrence Akhimie pleaded guilty on similar charges in a separate case. “Akhimie admitted to defrauding over $6 million from more than 400 victims, many of whom were elderly or otherwise vulnerable,” the U.S. Justice Department said.
• Chinese Student Sentenced to Prison in U.K. for Smishing Campaign — Ruichen Xiong, a student from China, has been sentenced in a London court for operating an SMS Blaster to conduct a mass smishing campaign against victims with an aim to harvest their personal details between March 22 and 27, 2025. “The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link,” British trade association UK Finance said. “The link would subsequently take them to a malicious site that was designed to harvest their personal details.”
• Microsoft Takes Steps Against Email Bombing and File System Redirection Attacks — Microsoft revealed that it’s rolling out an email bombing protection feature by default in Exchange Online Protection and Microsoft Defender for Office 365 plans to counter the risks posed by attacks that seek to flood target inboxes with thousands of messages by subscribing their email addresses to a large number of legitimate newsletter and subscription services. “By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook),” Microsoft said. Separately, the tech giant has also detailed a new mitigation called RedirectionGuard that it has put in place in Windows 11 to mitigate file system redirection attacks.
• Hunters International Shuts Down — In an unusual turn of events, the Hunters International ransomware operation has shut down and promised to release free decryption keys for all past victims. The group announced the shutdown in a message posted on its dark web leak site on July 3, 2025. “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the gang wrote on its darknet extortion site. It did not elaborate on what these “recent developments” were. The operation launched in November 2023 and was a rebrand of the Hive ransomware, which had its infrastructure seized earlier that year. The demise of Hunters International is not surprising, given that a report from Group-IB earlier this year found that the group had already rebranded again and launched an extortion-only operation known as World Leaks. Despite these claims, French security firm Lexfo said it identified World Leaks victims that had ransomware deployed on their network before being extorted. According to DataBreaches.net, World Leaks is operated by individuals previously associated with Hunters International. World Leaks has also claimed that they are no longer in touch with Hunters International. However, Group-IB said the shutdown is “designed to control the narrative and delay attribution.”

🎥 Cybersecurity Webinars

• The Future of Logins: AI, Trust, and Privacy Collide – Users are rejecting creepy AI and demanding frictionless logins—and the stakes have never been higher. This webinar reveals exclusive findings from the Auth0 2025 Trends Report, exposing how identity threats are evolving and how leading teams are designing trust-first login flows that users love. If you’re still relying on outdated UX patterns or ignoring privacy shifts, you’re already falling behind.
• Your Pip Install Might Be Malware—Here’s How to Fix It – Pip install isn’t just risky—it’s dangerous. Repójacking, fake packages, and infected containers are quietly poisoning thousands of apps. This isn’t a theory—it’s happening right now. Join top security experts to uncover how the Python ecosystem is being attacked, what tools like Sigstore and SLSA actually do, and the real steps you need to secure your builds before it’s too late.

🔧 Cybersecurity Tools

• CloudFlare’s Orange Meets – It is a fully end-to-end encrypted video calling app that runs entirely on the client side—no changes needed to the server or SFU. Built with WebRTC, Rust, and Messaging Layer Security (MLS), it supports secure group calls with real-time key rotation and formally verified joining logic. It’s open source, scalable, and ready to use or customize.
• Octelium – It is a free, open source, self-hosted platform for secure, zero trust access to internal and cloud resources. It replaces VPNs, tunnels, and gateways with identity-based, secret-less access and fine-grained, policy-driven control. Built on Kubernetes, it supports both client and browser-based access, and works for apps, APIs, SSH, databases, and more—without exposing your infrastructure.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Shrink Your Attack Surface with Smart Defaults – Many cyberattacks begin by leveraging legitimate Windows features that are rarely needed by most users or environments. Office macros, Windows Script Host, legacy protocols like LLMNR and NetBIOS over TCP/IP, and background COM script interfaces are common culprits. But even more obscure surfaces—such as ActiveX controls, Component Object Model elevation paths, or exposed DCOM/RPC endpoints—can be entry points for lateral movement and privilege escalation.

Beyond basic hardening, consider advanced techniques like disabling Win32 optional features via “DISM /Online /Disable-Feature,” disabling legacy input/output subsystems (like 16-bit support via NtVDM), or auditing unexpected network listeners using “netstat -abno” and “Sysinternals TCPView.” Apply Software Restriction Policies (SRP) or AppLocker to block execution from temp directories, USB drives, and user profile folders. Harden PowerShell with Constrained Language Mode and enable AMSI logging to catch script obfuscation attempts.

For users who want safe defaults without diving into the registry or GPO, Hardentools offers a well-balanced baseline. It disables commonly exploited scripting engines, Office macro execution, and certain Windows Explorer behaviors with a single click. But to go further, pair it with community scripts like “Attack Surface Analyzer” (by Microsoft) or tools like O&O ShutUp10++ to disable telemetry and reduce exposure to cloud-connected attack vectors.

The more obscure the vector, the less likely defenders are monitoring it—but that’s exactly why attackers love it. Effective attack surface reduction is not just about minimizing visible services; it’s about knowing what’s silently enabled and ensuring it’s needed. This week, go beyond basic macro blocking—review what’s running under the hood and shut down the silent risks.

Conclusion

It’s one thing to defend against outside attackers—it’s another when the risk is already inside. This week’s revelations about stolen identities, fake hires, and silent access show how trust can be turned into a weapon.

The takeaway is clear: identity isn’t just a login—it’s a security boundary. And when that fails, everything behind it is at risk.