Not every risk is immediately apparent. Some problems may start as minor glitches, unusual logs, or subtle delays that don’t seem urgent at first, but can ultimately become significant issues. It’s possible that your environment is already being targeted, but in ways that are not readily apparent.

Some of the most dangerous threats can be hidden in plain sight. It’s essential to consider what patterns might be being missed and what signals are being ignored because they don’t conform to established playbooks.

This week’s reports highlight some of the quiet signals that are often overlooked, from attacks that bypassed multi-factor authentication (MFA) using trusted tools to supply chain compromises hiding behind everyday interfaces. Here’s a summary of the key developments in the cybersecurity landscape:

⚡ Threat of the Week

Cloudflare Blocks Massive 7.3 Tbps DDoS Attack — Cloudflare reported that it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which peaked at 7.3 terabits per second (Tbps). The attack targeted an unnamed hosting provider and delivered 37.4 terabytes in 45 seconds. It originated from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. The top sources of attack traffic included Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.

🔔 Top News

• Patched Google Chrome Flaw Exploited by TaxOff — A threat actor known as TaxOff exploited CVE-2025-2783, a now-patched security flaw in Google Chrome, as a zero-day in mid-March 2025 to target Russian organizations with a backdoor codenamed Trinper. The attacks share overlaps with another threat activity cluster dubbed Team46, which is believed to have been active since early 2024 and has leveraged another zero-day vulnerability in Yandex Browser for Windows in the past to deliver unspecified payloads.
• North Korea Employs Deepfakes in New Fake Zoom Scam — Threat actors with ties to North Korea targeted an unnamed employee of a cryptocurrency foundation with deceptive Zoom calls featuring deepfaked company executives to trick them into downloading malware. Cybersecurity company Huntress, which responded to the incident, said it discovered eight distinct malicious binaries on the victim host that are capable of running commands, dropping additional payloads, logging keystrokes, and stealing cryptocurrency-related files.
• Russian Threat Actors Use App Passwords to Bypass MFA — Russian threat actors tracked as UNC6293 have been found to bypass multi-factor authentication (MFA) and access Gmail accounts of targeted individuals by leveraging app-specific passwords in skillfully crafted social engineering attacks that impersonate U.S. Department of State officials. The attacks, which started in at least April and continued through the beginning of June, are notable for their efforts to build trust with victims over weeks, instead of inducing a false sense of urgency and rushing them into taking unintended actions. The end goal of the attacks is to persuade the recipients to create and share app-specific passwords that would provide access to their Gmail accounts.
• Godfather Trojan Creates Sandbox on Infected Android Devices — A new version of the Godfather banking trojan has been found to create isolated virtual environments on Android devices to steal account data and transactions from legitimate banking apps. While the malware has been active since June 2021, the latest iteration takes its information-stealing capabilities to a whole new level through the deployment of a malicious app containing an embedded virtualization framework on infected devices, which is used to run copies of the targeted applications. Thus, when a user launches a banking app, they are redirected to the virtualized instance, from where sensitive data is stolen. The malware also displays a fake lock screen overlay to trick the victim into entering their PIN.
• Israel-Iran Conflict Sparks Surge in Cyber Warfare — The Israel-Iran conflict that started with Israeli attacks on Iranian nuclear and military targets on June 13 has triggered a wider cyber conflict in the region, with hacktivist groups and ideologically motivated actors targeting both nations. Notable among them, the pro-Israel threat group known as Predatory Sparrow breached Bank Sepah and Nobitex, claiming they have been used to circumvent international sanctions. Predatory Sparrow has been publicly linked to attacks targeting an Iranian steel production facility in 2022 and for causing outages at gas station payment systems across the country in 2021. Furthermore, Iran’s state-owned TV broadcaster was hacked to interrupt regular programming and air videos calling for street protests against the Iranian government. Nearly three dozen pro-Iranian groups are estimated to have launched coordinated attacks against Israeli infrastructure. These acts represent another escalation of the use of cyber attacks during (and as a precursor to) geopolitical conflicts, while also underscoring the growing importance of cyber-augmented warfare.

‎️‍🔥 Trending CVEs

Attackers often exploit software vulnerabilities as a means to gain unauthorized access to systems. Every week, new flaws are discovered, and failing to patch them in a timely manner can lead to significant breaches. The following are some of the critical vulnerabilities from this week that you should be aware of. Review them, update your software promptly, and prevent attackers from exploiting them.

This week’s list includes — CVE-2025-34509, CVE-2025-34510, CVE-2025-34511 (Sitecore XP), CVE-2025-6018, CVE-2025-6019, CVE-2025-6020 (Linux), CVE-2025-23121 (Veeam Backup & Replication), CVE-2025-3600 (Progress Telerik UI for AJAX), CVE-2025-3464 (ASUS Armoury Crate), CVE-2025-5309 (BeyondTrust Remote Support and Privileged Remote Access), CVE-2025-5349, CVE-2025-5777 (Citrix ADC and Gateway), CVE-2025-5071 (AI Engine plugin), CVE-2025-4322 (Motors theme), CVE-2025-1087 (Insomnia API Client), CVE-2025-20260 (ClamAV), CVE-2025-32896 (Apache SeaTunnel), CVE-2025-50054 (OpenVPN), and CVE-2025-1907 (Instantel Micromate).

📰 Around the Cyber World

• Prometei Botnet Resurgence in March 2025 — The Prometei botnet has been observed in renewed attacks in March 2025, with new features incorporated. “The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion,” Palo Alto Networks Unit 42 said. Prometei, first spotted in July 2020, is capable of striking both Windows and Linux systems for cryptocurrency mining, credential theft, and data exfiltration. It can also deploy additional malware payloads. In recent years, it has exploited Windows systems unpatched against ProxyLogon flaws. As of March 2023, it was estimated to have compromised more than 10,000 systems since November 2022. “This modular design makes Prometei highly adaptable, as individual components can be updated or replaced without affecting the overall botnet functionality,” Unit 42 said.
• BitoPro Hack Linked to Lazarus Group — Taiwanese cryptocurrency exchange BitoPro claimed the North Korean hacking group Lazarus is behind a cyber attack that led to the theft of $11,000,000 worth of cryptocurrency on May 9, 2025. “The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges. These attacks are attributed to the North Korean hacking organization ‘Lazarus Group,'” the company said. BitPro also revealed the attackers conducted a social engineering attack on a team member responsible for cloud operations to implant malware and remotely access their computer, while evading security monitoring. “They subsequently hijacked AWS Session Tokens to bypass Multi-Factor Authentication (MFA),” it added. “From the AWS environment, they delivered commands via a C2 server to discreetly transfer malicious scripts to the hot wallet host, awaiting an opportunity to launch the attack. After prolonged observation, the hackers specifically targeted the platform during its wallet system upgrade and asset transfer period, simulating normal operational behaviors to launch the attack.” On May 9, the malicious script was executed to transfer cryptocurrency from the hot wallet. BitPro said it shut down its hot wallet system, rotated all cryptographic keys, and isolated and rebuilt affected systems after discovering unusual wallet activity. The heist is the latest to be attributed to the notorious Lazarus Group, which was implicated in the record-breaking $1.5 billion theft from Bybit.
• Microsoft Plans to Clean Up Legacy Drivers — Microsoft said it’s launching a “strategic initiative” to periodically clean up legacy drivers published on Windows Update to reduce security and compatibility risks. “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the Windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” the company said. “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.”
• Mocha Manakin Uses ClickFix to Deliver Node.js Backdoor — A previously undocumented threat actor known as Mocha Manakin has been linked to a new set of attacks that leverage the well-known ClickFix (aka Paste and run or fakeCAPTCHA) as an initial access technique to drop a bespoke Node.js backdoor codenamed NodeInitRAT. “NodeInitRAT allows the adversary to establish persistence and perform reconnaissance activities, such as enumerating principal names and gathering domain details,” Red Canary said. “NodeInitRAT communicates with adversary-controlled servers over HTTP, often through Cloudflare tunnels acting as intermediary infrastructure.” The backdoor comes with capabilities to execute arbitrary commands and deploy additional payloads on compromised systems. The threat
  
  
  Source Link