Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
TeamViewer Patches CVE-2025-36537 Affecting TeamViewer Remote Management on Windows - On June 24, 2025, TeamViewer patched CVE-2025-36537, a high-severity vulnerability affecting TeamViewer Remote and Tensor (Full Client and Host) on Windows versions prior to 15.67. CVE-2025-36537 stems from improper permissions in the Microsoft Windows Installer (MSI) rollback mechanism on devices with remote management components, specifically backup, monitoring, and patch management.
Successful exploitation enables threat actors to delete arbitrary files with SYSTEM-level access, potentially leading to full privilege escalation. At the time of writing, there are no reports of active exploitation in the wild.
CISA Adds Three Vulnerabilities Affecting AMI MegaRAC-SPx, D-Link DIR-859 Router, and Fortinet FortiOS to its KEV Catalogue - On June 25, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities affecting products from AMI, D-Link, and Fortinet to its Known Exploited Vulnerabilities (KEV) catalogue. Technical details surrounding these vulnerabilities are listed below:
- CVE-2024-54085 is an authentication bypass vulnerability in the Baseboard Management Controller (BMC) firmware of AMI MegaRAC SPx versions prior to 13.5. Successful exploitation allows threat actors to gain administrative privileges on the compromised BMC via the Redfish Host Interface, a standard API for remote server management, which results in full system compromise, malware deployment, firmware tampering, and hardware disruption.
- CVE-2024-0769 is a path traversal vulnerability in D-Link DIR-859 router version 1.06B01. It stems from improper input validation in HTTP POST requests sent to the /hedwig.cgi endpoint. Successful exploitation allows threat actors to access configuration files, which could allow unauthorised access to sensitive configuration files.
- CVE-2019-6693 affects Fortinet FortiOS versions 5.6.9 and below, 6.0.5 and below, and 6.2.0 on FortiGate devices. Successful exploitation allows threat actors with file access to decrypt sensitive data such as user credentials (excluding the admin password), private key passphrases, and high availability passwords, which compromises system security.
Citrix NetScaler Flaw (CVE-2025-6543) - Citrix has issued a warning about a critical vulnerability in its NetScaler appliances (CVE-2025-6543) that’s being actively exploited in denial-of-service (DoS) attacks. The flaw impacts several versions of NetScaler ADC and Gateway devices configured as VPN, ICA Proxy, or RDP Proxy servers. Attackers can send unauthenticated requests that cause the appliance to crash and go offline.
The impacted versions include NetScaler ADC and Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP. Citrix has released patches in versions 14.1-47.46, 13.1-59.19, and 13.1-37.236 for FIPS and NDcPP branches.
In addition to patching, it’s recommended that admins monitor for unusual user sessions and review access controls to enhance security. This vulnerability highlights the importance of keeping NetScaler devices up to date and maintaining vigilance against potential exploits.
Potential Threats
Dire Wolf Ransomware Group Targets Global Manufacturing and Technology Sectors via Custom Double Extortion Payloads - On June 24, 2025, Trustwave reported that the newly emerged Dire Wolf Ransomware Group is targeting global sectors, primarily manufacturing and technology, through double extortion operations. Discovered in May 2025, Dire Wolf encrypts files and threatens to publish exfiltrated data for ransom payments.
Using the Recorded Future Intelligence Cloud, Insikt Group identified 679 extortion posts on the group’s leak site, Dire Wolf Blog, at the time of writing. Most observed victims are located in North America, Europe, and the Asia-Pacific region.
Threat Actors Deliver Trojanized SonicWall VPN Client via Fake Sites to Steal Credentials - On June 23, 2025, SonicWall reported that threat actors are distributing a trojanized version of its NetExtender SSL VPN client to steal credentials from remote users. Microsoft Threat Intelligence Centre (MSTIC), which collaborated on the investigation, tracks the malware as SilentRoute.
The threat actors use spoofed websites to deliver a modified NetExtender v10.3.2.27 installer, signed with a certificate from “CITYLIGHT MEDIA PRIVATE LIMITED.” The installer impersonates SonicWall’s legitimate software to trick remote staff and administrators into submitting VPN credentials.
Python Implementation of Mimikatz DCShadow Attack - On June 29, 2025, security researcher Charlie Bromberg (aka ShutdownRepo) released dcshadow, a Python-based implementation of the DCShadow attack from Mimikatz’s “lsadump” module. Mimikatz is a post-exploitation tool used to extract credentials and manipulate authentication on Windows systems. DCShadow allows attackers to stealthily alter Active Directory (AD) data by impersonating a domain controller (DC) and pushing changes through replication protocols.
To operate, dcshadow requires a target AD domain, credentials, the IP and FQDN of a legitimate DC, and a NetBIOS name for the rogue DC. Once set up, it registers the rogue DC, crafts replication requests with the desired changes, and injects them directly into AD using a custom Impacket-based MS-DRSR implementation. This allows it to modify sensitive attributes like userAccountControl or SIDHistory without triggering normal protections or logs. After the injection, the rogue DC is deregistered to minimise detection. As of now, the tool has 104 stars and 9 forks on GitHub, with the repository linked in the Validation URL section.
General News
International Criminal Court targeted by new ‘sophisticated’ attack - The International Criminal Court announced on Monday that it had detected a “new, sophisticated and targeted cyber security incident” which it said was spotted last week. In a statement, the ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing the attack. It did not comment on the attackers’ motives, nor on whether any sensitive information from its prosecutions had been compromised.
The statement added that the Court, headquartered in The Hague, the Netherlands, was currently carrying out an impact analysis following the incident and taking steps to mitigate any effects, though these potential effects were not described.
According to the Court, the continued support of countries that have ratified the Rome Statute “ensures” its “capacity to implement its critical mandate of justice and accountability,” which it stressed was a shared responsibility of all States Parties.
NATO members aim for spending 5% of GDP on defence, with 1.5% eligible for cyber - NATO allies reached an agreement this week to increase their defense spending to 5% of GDP within a decade, with 3.5% to go toward core defense and the remaining 1.5% of GDP on indirect defense spending, including cybersecurity capabilities.
The expanded range of what amounts to defence spending now includes investments in energy and supply chain resilience, logistics infrastructure, and innovation that relates immediately to strategic concerns highlighted by Russia’s full-blown invasion of Ukraine and also to the systemic challenges posed by what NATO describes as China’s “stated ambitions and coercive policies.”
Investment in defences against cyberattacks comes as experts warn that even incidents below the threshold of starting an armed conflict are having “strategically consequential effects” on NATO allies, and as NATO itself agreed to launch an integrated cyberdefense centre at its military headquarters in Mons, Belgium.
'Disgruntled' British IT worker jailed for hacking employer after being suspended - A British IT worker who launched what police described as a cyberattack against his employer after being suspended from work has been jailed for seven months. According to West Yorkshire Police, within hours of his suspension in July 2022, Mohammed Umar Taj attempted to take revenge on his employer.
The unidentified firm, which has clients in the United Kingdom as well as in Germany and Bahrain, said it suffered “significant disruption” and lost at least £200,000 (about $275,000) due to the attack, as well as suffered reputational harm.
Taj who was sentenced on June 26, after previously pleading guilty to a Computer Misuse Act offence, accessed his employer’s systems to alter login credentials and disrupt its daily activities. A day later, Taj then “changed access credentials and the company’s multi-factor authentication so that he could adversely impact the activities of the firm’s clients both in the UK and overseas in Germany and Bahrain.”
Investigators from West Yorkshire Police’s cyber team discovered that Taj had kept recordings of his activities and had discussed the attack in phone recordings that forensics specialists were able to recover.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Kimsuky | ● High | → | ● High | ● 92 | → | ● 92 | ● 30 | → | ● 25 |
| BlueBravo | ● High | → | ● High | ● 88 | → | ● 87 | ● 25 | → | ● 25 |
| BlueDelta | ● High | → | ● High | ● 87 | → | ● 86 | ● 25 | → | ● 25 |
| Pioneer Kitten | ● Moderate | → | ● Moderate | ● 49 | → | ● 61 | ● 49 | → | ● 49 |
| BlackLock Ransomware Group | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Mexican Cartel | ▲ |
Stealware |
▲ | CVE-2025-6554 | ▲ |
Transportation |
▲ |
|
Iranian Revolutionary |
▲ |
TA0040 (Impact) |
▲ | CVE-2025-47812 | ▲ |
Qantas Group |
▲ |
|
Predatory Sparrow |
▲ |
Backdoor |
▲ | CVE-2025-32463 | ▲ |
FBI |
▲ |
|
APT-C-36 |
▲ |
ClickFix |
▲ | CVE-2025-6543 | ▲ |
Columbia University |
▲ |
|
NightSpire Ransomware Group |
▲ |
Spear Phishing |
▲ |
CVE-2025-32462 |
▲ |
Susie Wiles |
▲ |
Prominent Information Security Events
Dire Wolf Ransomware Group Targets Global Manufacturing and Technology Sectors via Custom Double Extortion Payloads
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - 8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad
IOC: SHA256 - 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3
IOC: MD5 - a71dbf2e20c04da134f8be86ca93a619
On June 24, 2025, Trustwave reported that the newly emerged Dire Wolf Ransomware Group is targeting global sectors, primarily manufacturing and technology, through double extortion operations. Discovered in May 2025, Dire Wolf encrypts files and threatens to publish exfiltrated data for ransom payments. Using the Recorded Future Intelligence Cloud, Insikt Group identified 679 extortion posts on the group’s leak site, Dire Wolf Blog, at the time of writing. Most observed victims are located in North America, Europe, and the Asia-Pacific region.
The infection chain begins with the execution of a Golang binary packed with the Ultimate Packer for Executables (UPX) that delivers the Dire Wolf ransomware payload. Upon execution, the ransomware checks for a file runfinish[.]exe and the mutex Global\direwolfAppMutex to confirm prior system encryption. If found, it self-deletes via a shell command; otherwise, it disables system event logging using PowerShell commands through Windows Management Instrumentation (WMI) queries.
The ransomware then stops 75 hard-coded services, mostly related to security software, through ControlService, sc stop, and sc config. Simultaneously, it employs taskkill to terminate 59 predefined processes tied to databases, office applications, and endpoint defences. It deletes shadow copies and disables backup features via vssadmin, wbadmin, and bcdedit commands, then clears event logs with wevtutil. For encryption, the ransomware employs Curve25519 and ChaCha20 algorithms, appending .direwolf to affected files while excluding system-critical extensions. A ransom note containing credentials to a live chat room and a gofile[.]io link to the sample stolen data is then dropped before the malware self-deletes and reboots the system.
Threat Actors Deliver Trojanized SonicWall VPN Client via Fake Sites to Steal Credentials
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 132[.]196[.]198[.]163
IOC: SHA256 - e30793412d9aaa49ffe0dbaaf834b6ef6600541abea418b274290447ca2e168b
IOC: SHA256 - 71110e641b60022f23f17ca6ded64d985579e2774d72bcff3fdbb3412cb91efd
On June 23, 2025, SonicWall reported that threat actors are distributing a trojanized version of its NetExtender SSL VPN client to steal credentials from remote users. Microsoft Threat Intelligence Centre (MSTIC), which collaborated on the investigation, tracks the malware as SilentRoute. The threat actors use spoofed websites to deliver a modified NetExtender v10.3.2.27 installer, signed with a certificate from “CITYLIGHT MEDIA PRIVATE LIMITED.” The installer impersonates SonicWall’s legitimate software to trick remote staff and administrators into submitting VPN credentials.
The threat actors typically direct victims to fake download sites through online ads, search engine manipulation, private messages, and posts on platforms like YouTube and TikTok. After the user launches the trojanized client, it runs a patched version of NeService.exe that disables internal signature checks, allowing the modified components to execute. When the user enters VPN credentials and clicks “Connect,” the altered NetExtender.exe captures the username, password, domain, and other configuration details, then transmits them to a remote server at IP address 132[.]196[.]198[.]163 over port 8080.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-36537, To reduce the risk of exploitation, we recommend updating affected products to the latest version as detailed in TeamViewer’s advisory.
-
CVE-2024-54085, CVE-2024-0769, and CVE-2019-6693: We recommend that organisations apply the available patches for MegaRAC SPx and FortiOS if the affected products are part of their tech stack. Meanwhile, DIR-859 routers have reached end-of-life (EOL) status and should be decommissioned and replaced with supported hardware.
- CVE-2025-6543, immediate installation of the recommended builds is critically advised due to identified vulnerabilities
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.