Major Incidents or Breaches

  • Ingram Micro, a major IT distributor, experienced a ransomware attack causing widespread outages and disruption to customer ordering and services. The company is working to restore systems; details on data theft remain undisclosed.
  • Qantas confirmed it is being extorted by threat actors following a cyberattack that potentially exposed the data of 6 million customers.
  • Hackers stole nearly $140 million from six Brazilian banks by using credentials purchased from a C&M employee for $920.
  • The International Criminal Court (ICC) disclosed a sophisticated cyberattack in its latest threat intelligence report.
  • The PC version of Call of Duty: WWII was taken offline after reports of gamers being hacked.
  • Several Russian industrial enterprises were targeted in a phishing campaign delivering the newly discovered Batavia spyware, which exfiltrates sensitive data from corporate devices.

Newly Discovered Vulnerabilities

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
  • Researchers released proof-of-concept exploits for CVE-2025-5777 (“CitrixBleed2”), a critical Citrix NetScaler vulnerability that is easily exploitable and now publicly available.
  • Grafana patched multiple Chromium bugs, including CVE-2025-6554, a zero-day vulnerability exploited in the wild that could allow remote code execution and memory corruption.

Notable Threat Actor Activity

  • A Chinese national allegedly linked to the Silk Typhoon (APT41) group was arrested in Milan for cyberespionage activities targeting American organizations.
  • North Korean threat actors were observed targeting cryptocurrency and Web3 platforms on Telegram using malicious Zoom meeting requests to deliver the NimDoor macOS malware.
  • TAG-140 targeted Indian government entities using “ClickFix-style” lures, leading to BroaderAspect .NET loader execution.
  • Iranian hackers breached a U.S. water facility, gaining control over a pressure station serving 7,000 people.
  • Batavia spyware campaigns used contract-themed phishing emails to compromise Russian industrial organizations.
  • Over 8,500 SMB users were targeted in an SEO poisoning campaign delivering the Oyster malware loader disguised as AI tools.
  • Hackers exploited a leaked copy of the Shellter Elite red team tool to deploy infostealers in live attacks.

Trends, Tools, or Tactics of Interest

  • The Atomic macOS infostealer (AMOS) has added a backdoor for persistent access to compromised systems.
  • The new “Bert” ransomware strain targets both Linux and Windows systems, featuring aggressive multithreading and cross-platform capabilities.
  • A Chrome browser extension with over 100,000 downloads was found to contain sophisticated spyware, hijacking sessions and redirecting users to malicious sites.
  • Modern malware increasingly incorporates anti-debugging and anti-analysis features to evade detection.
  • Hunters International, a Ransomware-as-a-Service (RaaS) group and successor to Hive, announced its shutdown and transition to “World Leaks,” focusing on data theft and extortion. Free decryptors were offered to previous victims.
  • PayPal has implemented an AI-powered scam alert system that may intercept suspicious transactions to combat increasingly sophisticated fraud attempts.
  • Let’s Encrypt began issuing free certificates for IP addresses, which, while enhancing security, also presents new opportunities for cybercriminal abuse.

Regulatory or Policy Developments Affecting the Security Industry

  • CISA’s addition of four new actively exploited vulnerabilities to its KEV catalog may prompt accelerated patching and mitigation efforts across affected organizations.
  • Let’s Encrypt’s rollout of certificates for IP addresses introduces new considerations for certificate management and threat actor abuse.