San Mateo, CA, June 23, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Deepfake Zoom calls let North Korean hackers hit crypto firms
North Korea-linked BlueNoroff targets Web3 employees with fake Zoom calls using deepfaked executives to deliver macOS malware. According to Huntress, the attack started on Telegram and redirected a Calendly meeting link to a fake Zoom site. Victims are urged to install a Zoom extension that downloads a malicious AppleScript. The script disabled system logs, installed Rosetta 2 if needed, and downloaded further payloads, including keyloggers, cryptocurrency stealers, and remote access tools. BlueNoroff, part of the Lazarus Group, is known for financially motivated attacks like TraderTraitor. DTEX reports APT38 has split into subgroups, including TraderTraitor and CryptoCore. The campaign resembles previous social engineering operations like ClickFake Interview, which uses fake job offers and support lures to install cross-platform malware on targeted machines. Read more.
APT29 sidesteps MFA to breach U.S. Russia expert’s account
Hackers impersonating the U.S. State Department recently executed a sophisticated phishing campaign against Keir Giles, a prominent Russia expert and senior consulting fellow at Chatham House, using refined tactics that bypassed traditional red flags. Unlike past attempts, this operation featured convincing English, a valid-looking domain, strategic timing, and no pressure tactics. According to Citizen Lab and Google’s Threat Intelligence Group, the attackers, linked to Russia’s Foreign Intelligence Service and known as UNC6293 or APT29, tricked Giles into sharing an app-specific password (ASP), enabling access to his Google accounts despite multi-factor authentication. This novel abuse of ASPs highlights evolving threats that bypass modern security tools. The attackers’ patience and technical knowledge, including exploiting Google’s email bounceback behavior and potentially leveraging AI for realistic messages, made detection difficult. “Unlike any of the previous times when they’ve had a go at me, I haven’t actually seen anywhere they’ve put a foot wrong and done something which is implausible,” Giles said. “It was totally straight up and very well-constructed from beginning to end.” Read more.
$90M Nobitex theft fuels rising cyber tensions with Israel
Nobitex, Iran’s largest cryptocurrency exchange, confirmed it was hacked this week, with attackers draining at least $90 million from its hot wallet. The exchange said it detected unauthorized access and is investigating it while suspending its app and website indefinitely. The pro-Israel hacking group Predatory Sparrow claimed responsibility, accusing Nobitex of financing terrorism and evading sanctions. Blockchain firm Elliptic reported that the hackers “burned” the stolen funds by transferring them to unusable wallets. Predatory Sparrow also claimed credit for a recent cyberattack on Iran’s Bank Sepah. “Israel has launched a massive cyber war against [Iran’s] digital infrastructure,” Iran’s IRIB reported, amid escalating military tensions between the two countries. Read more.
5.4M U.S. patients exposed in major healthcare data breach
Episource has disclosed a data breach that exposed sensitive health information of over 5.4 million individuals in the U.S., stemming from a cyberattack between January 27 and February 6, 2025. “We learned from our investigation that a cybercriminal could see and take copies of some data in our computer systems,” the healthcare technology firm stated. The compromised data may include Social Security numbers, medical records, insurance details, and personal contact information, though banking data was unaffected. Episource started notifying affected individuals in April and confirmed the breach to federal regulators in June. The incident impacts patients connected to Episource’s healthcare clients, although not all were affected. The company urges vigilance against fraudulent activity but notes it has not yet detected misuse of the stolen data. Read more.
Qilin adds lawyers to ransomware playbook for negotiation edge
As once-dominant ransomware groups like LockBit, RansomHub, and BlackLock collapse under law enforcement pressure and internal leaks, a new player, Qilin, is rising to prominence, now ranked the third most active ransomware group in 2025 with 291 victims, according to Cybereason. What sets Qilin apart is its advanced technical infrastructure and a suite of unprecedented affiliate services, including a “Call Lawyer” feature for legal intimidation during negotiations. “The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount,” Qilin claims in a dark web post. The group’s malware, written in Rust and C, is cross-platform and supports advanced encryption modes, automated negotiation tools, and even DDoS and spam services. Cybereason describes Qilin as “not just a ransomware group, but a full-service cybercrime platform,” redefining the ransomware-as-a-service model as the threat landscape grows more fragmented. Read more.
Anubis ransomware leaves victims with zero chance of recovery
Trend Micro reports that a new ransomware strain dubbed Anubis is alarming researchers with its rare dual-threat capability to encrypt and permanently destroy victim data. “Its ability to both encrypt and permanently destroy data significantly raises the stakes for victims, amplifying the pressure to comply,” said researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles. Active since December 2024, Anubis has hit the healthcare, hospitality, and construction sectors in the U.S., Canada, Australia, and Peru. The ransomware-as-a-service model offers affiliates up to 80% of ransom payments, with separate monetization paths for stolen data and access. Using phishing emails as its initial vector, attackers escalate access and delete shadow copies before encrypting or wiping files, reducing them to 0 KB but leaving file names intact to increase confusion and pressure. The wiper function is triggered with a /WIPEMODE parameter, ensuring unrecoverable damage. Read more.
AI-generated spam now outsmarts filters and fools users
A new study by Barracuda, in partnership with Columbia University and the University of Chicago, has found that 51% of malicious and spam emails are now generated using AI tools. This figure peaked in April 2025 after a steady increase since late 2022. Researchers attribute the rise to improved language quality, formality, and grammar in AI-generated messages, making them harder to detect and more convincing. While only 14% of business email compromise (BEC) attacks currently use AI, experts expect that number to grow, especially with the advancement of tools like voice cloning. Attackers mainly leverage AI to bypass filters and test different message versions, mimicking A/B testing strategies seen in marketing. Read more.
Scattered Spider drops retailers, infiltrates insurance sector
Scattered Spider, a financially driven cybercriminal group also tracked as UNC3944, has shifted its focus from recent ransomware campaigns against U.K. and U.S. retailers to targeting American insurance companies, according to Google’s Threat Intelligence Group. Several insurance firms have experienced attacks reflecting Scattered Spider’s tactics, including social engineering methods aimed at help desks and call centers. Erie Insurance, a Fortune 500 firm, reported suspicious network activity on June 7 and has since taken systems offline and launched an investigation with law enforcement and cybersecurity experts. Though not yet confirmed, analysts believe Scattered Spider may be behind the incident. Read more.
€250M darknet drug hub shut down in global sting
Authorities from six nations dismantled Archetyp Market, a major darknet drug marketplace active since 2020. The platform had over 612,000 users and processed €250 million in Monero transactions through listings for cocaine, heroin, cannabis, fentanyl, and other drugs. Dubbed Operation Deep Sentinel, the takedown was led by German police and supported by Europol, Eurojust, and others. The market’s infrastructure was seized in the Netherlands, and its suspected administrator was arrested in Spain. Additional arrests included one moderator and six top vendors in Germany and Sweden. Officers also confiscated narcotics, electronics, and €7.8 million in assets across coordinated raids. Read more.
New stealth malware raids 78+ apps using Discord for access
A new malware known as Katz Stealer has surfaced, enabling cybercriminals to steal sensitive data using stealthy, persistent methods. Delivered via phishing and fake downloads, Katz Stealer uses obfuscated JavaScript and PowerShell scripts to install itself, evading detection with anti-analysis techniques like geofencing, system fingerprinting, and sandbox detection. It steals credentials from over 78 browsers, messaging apps, crypto wallets, and email clients, even bypassing Chrome’s security to grab saved data. A key feature is its use of the Discord app for persistence, modifying its startup script to maintain access and inserting “a JavaScript snippet that performs HTTPS requests to domains such as twist2katz.com using a custom User-Agent string that mimics Chrome browser traffic.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
