Major Incidents or Breaches

  • Qantas disclosed a cyberattack involving unauthorised access to a third-party platform containing customer data.
  • Kelly Benefits reported a 2024 data breach impacting 550,000 customers’ personal information.
  • Esse Health notified over 263,000 patients of a breach in April that compromised personal and health information.
  • Johnson Controls began notifying individuals affected by a 2023 ransomware attack that impacted global operations.
  • The International Criminal Court is investigating a new “sophisticated” cyberattack on its systems.

Newly Discovered Vulnerabilities

  • Google patched a Chrome zero-day vulnerability (CVE-2025-6554) that is being actively exploited in the wild, the fourth such Chrome zero-day addressed in 2025.
  • Researchers identified a critical vulnerability in Anthropic’s Model Context Protocol (MCP) Inspector project, exposing developer machines to remote exploits.
  • A new flaw in IDEs such as Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor allows malicious extensions to bypass verified status, undermining extension security controls.
  • A new FileFix attack has been observed that executes malicious JScript while bypassing Windows Mark of the Web (MoTW) protections by exploiting browser handling of saved HTML webpages.

Notable Threat Actor Activity

  • Unknown threat actors are weaponizing Vercel’s v0 generative AI tool to rapidly create fake login pages for phishing at scale.
  • Tactical overlaps have been observed between TA829 (linked to RomCom RAT) and the UNK_GreenSec cluster, including shared infrastructure and the use of a loader dubbed TransferLoader.
  • The Silver Fox group is suspected of targeting Taiwanese entities using sideloading techniques to deliver Gh0stRAT variants, leveraging lures related to DeepSeek’s LLM.
  • North Korean IT workers have infiltrated technology, manufacturing, and transportation sectors globally to steal funds and data, with the U.S. DoJ arresting a facilitator, seizing 29 domains, and disrupting 21 “laptop farms” across 16 states.
  • The U.S. Treasury sanctioned Russian hosting provider Aeza Group and four operators for providing bulletproof hosting to ransomware and infostealer operators.

Trends, Tools, or Tactics of Interest

  • Attackers are exploiting AI and generative tools (e.g., Vercel’s v0) to automate and scale phishing campaigns.
  • Threat actors are increasingly targeting browsers through zero-day vulnerabilities and malicious extensions, highlighting browser security as an enterprise risk.
  • FileFix attacks demonstrate continued evolution in bypassing Windows security features, specifically MoTW.
  • Sideloading remains a prevalent technique for malware delivery, as seen in Silver Fox’s campaign.
  • Concerns are raised over the potential manipulation of large language models (LLMs) for phishing, similar to previous SEO poisoning tactics.
  • Cyber insurers have shifted assessment practices in response to the uptick in ransomware incidents, focusing on previously overlooked security weaknesses.

Regulatory or Policy Developments

  • The U.S. Department of Justice and Treasury have taken coordinated action against North Korean cyber-enabled financial operations and Russian cybercrime infrastructure.
  • The U.S. Senate has removed a ban on state-level AI regulations from a tax bill, allowing states to enact their own AI legislation in the absence of a federal framework.
  • AT&T launched a “Wireless Lock” feature to help protect customers from SIM swapping attacks by restricting changes to account information and phone number porting.