Major Incidents or Breaches

  • Ribbon Communications, a major telecom services provider with clients including the US government and global telecom firms, disclosed a breach of its IT network by nation-state actors, with access dating back to December 2023.
  • Conduent, a business process outsourcing (BPO) giant, confirmed a 2024 data breach impacting over 10.5 million individuals. Stolen data includes names, addresses, dates of birth, Social Security numbers, and health and insurance information. A ransomware gang has claimed responsibility.
  • The Canadian Centre for Cyber Security reported that hackers tampered with industrial control systems (ICS) at a water facility and an oil and gas firm, warning of increasing hacktivist activity targeting internet-exposed ICS environments.

Newly Discovered Vulnerabilities

  • CISA added a high-severity zero-day vulnerability affecting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities Catalog. The flaw is being actively exploited by China-linked threat actors, and federal agencies have been ordered to patch immediately.
  • A critical authentication bypass vulnerability (CVE-2025-54603) was patched in Claroty products, which exposed operational technology (OT) environments and critical infrastructure to potential disruption and data theft.
  • A severe exploit targeting the Chromium Blink rendering engine was disclosed, allowing attackers to crash Chromium-based browsers instantly via a malicious URL.
  • Researchers highlighted a DNS poisoning flaw, supply-chain attack vectors, and new malware strains in the npm ecosystem, including over 130 packages delivering infostealers and PhantomRaven malware stealing GitHub tokens from developers.
  • A Living-off-the-Land (LotL) attack technique was detailed, leveraging Windows’ native AI stack to hide malware in trusted AI data files.

Notable Threat Actor Activity

  • Russian ransomware gangs are increasingly adopting the open-source AdaptixC2 command-and-control framework for advanced attacks.
  • China-linked hackers are actively exploiting VMware vulnerabilities in live attacks.
  • LinkedIn is being abused for targeted phishing campaigns against finance executives, using fake executive board invitations to steal Microsoft credentials.
  • Multiple malicious npm packages, including those delivering PhantomRaven malware, have been downloaded over 100,000 times, targeting developer credentials and tokens.

Trends, Tools, or Tactics of Interest

  • There is a surge in NFC relay malware in Eastern Europe, with over 760 Android apps identified as capable of stealing payment card data via NFC relay attacks.
  • Attackers are increasingly leveraging supply-chain attacks, with npm registry being a recurring target for infostealer distribution.
  • AI and machine learning defenses are scaling up: Google reports its built-in Android AI blocks over 10 billion scam messages and calls monthly.
  • Security researchers note a rise in attackers focusing on fewer, high-impact targets and exploiting defender blind spots.
  • Living-off-the-Land (LotL) tactics are evolving, with attackers embedding malware in trusted system components like Windows AI stacks to evade detection.
  • Social engineering tactics are being refined, with threat actors exploiting “Contact Us” forms and public data to craft more effective phishing and business email compromise (BEC) attacks.

Regulatory or Policy Developments

  • CISA and NSA, with global partners, released new security guidance for hardening Microsoft Exchange servers to address persistent exploitation risks.
  • CISA mandated immediate patching of the VMware Tools vulnerability for federal agencies due to active exploitation.
  • Guidance and warnings from Canadian authorities emphasize the need for increased ICS/OT security amid rising hacktivist threats.