⚡ Weekly Recap: Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More

Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected?

Some of the most dangerous moves are hidden in plain sight. It’s worth asking: what patterns are we missing, and what signals are we ignoring because they don’t match old playbooks?

This week’s reports bring those quiet signals into focus—from attacks that bypassed MFA using trusted tools, to supply chain compromises hiding behind everyday interfaces. Here’s what stood out across the cybersecurity landscape:

⚡ Threat of the Week

Cloudflare Blocks Massive 7.3 Tbps DDoS Attack — Cloudflare said it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which hit a peak of 7.3 terabits per second (Tbps). The attack, the company said, targeted an unnamed hosting provider and delivered 37.4 terabytes in 45 seconds. It originated from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. The top sources of attack traffic included Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.

• Patched Google Chrome Flaw Exploited by TaxOff — A threat actor known as TaxOff exploited CVE-2025-2783, a now-patched security flaw in Google Chrome, as a zero-day in mid-March 2025 to target Russian organizations with a backdoor codenamed Trinper. The attacks share overlaps with another threat activity cluster dubbed Team46, which is believed to have been active since early 2024 and has leveraged another zero-day vulnerability in Yandex Browser for Windows in the past to deliver unspecified payloads.
• North Korea Employs Deepfakes in New Fake Zoom Scam — Threat actors with ties to North Korea targeted an unnamed employee of a cryptocurrency foundation with deceptive Zoom calls featuring deepfaked company executives to trick them into downloading malware. Cybersecurity company Huntress, which responded to the incident, said it discovered eight distinct malicious binaries on the victim host that are capable of running commands, dropping additional payloads, logging keystrokes, and stealing cryptocurrency-related files.
• Russian Threat Actors Use App Passwords to Bypass MFA — Russian threat actors tracked as UNC6293 have been found to bypass multi-factor authentication (MFA) and access Gmail accounts of targeted individuals by leveraging app-specific passwords in skilfully-crafted social engineering attacks that impersonate U.S. Department of State officials. The attacks, which started in at least April and continued through the beginning of June, are notable for their efforts to build trust with victims over weeks, instead of inducing a false sense of urgency and rushing them into taking unintended actions. The end goal of the attacks is to persuade the recipients to create and share app-specific passwords that would provide access to their Gmail accounts.
• Godfather Trojan Creates Sandbox on Infected Android Devices — A new version of the Godfather banking trojan has been found to create isolated virtual environments on Android devices to steal account data and transactions from legitimate banking apps. While the malware has been active since June 2021, the latest iteration takes its information-stealing capabilities to a whole new level through the deployment of a malicious app containing an embedded virtualization framework on infected devices, which is used to run copies of the targeted applications. Thus, when a user launches a banking app, they are redirected to the virtualized instance, from where sensitive data is stolen. The malware also displays a fake lock screen overlay to trick the victim into entering their PIN.
• Israel-Iran Conflict Sparks Surge in Cyber Warfare — The Israel-Iran conflict that started with Israeli attacks on Iranian nuclear and military targets on June 13 has triggered a wider cyber conflict in the region, with hacktivist groups and ideologically motivated actors targeting both nations. Notable among them, the pro-Israel threat group known as Predatory Sparrow breached Bank Sepah and Nobitex, claiming they have been used to circumvent international sanctions. Predatory Sparrow has been publicly linked to attacks targeting an Iranian steel production facility in 2022 and for causing outages at gas station payment systems across the country in 2021. Furthermore, Iran’s state-owned TV broadcaster was hacked to interrupt regular programming and air videos calling for street protests against the Iranian government. Nearly three dozen pro-Iranian groups are estimated to have launched coordinated attacks against Israeli infrastructure. These acts represent another escalation of the use of cyber attacks during (and as a precursor to) geopolitical conflicts, while also underscoring the growing importance of cyber-augmented warfare.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-34509, CVE-2025-34510, CVE-2025-34511 (Sitecore XP), CVE-2025-6018, CVE-2025-6019, CVE-2025-6020 (Linux), CVE-2025-23121 (Veeam Backup & Replication), CVE-2025-3600 (Progress Telerik UI for AJAX), CVE-2025-3464 (ASUS Armoury Crate), CVE-2025-5309 (BeyondTrust Remote Support and Privileged Remote Access), CVE-2025-5349, CVE-2025-5777 (Citrix ADC and Gateway), CVE-2025-5071 (AI Engine plugin), CVE-2025-4322 (Motors theme), CVE-2025-1087 (Insomnia API Client), CVE-2025-20260 (ClamAV), CVE-2025-32896 (Apache SeaTunnel), CVE-2025-50054 (OpenVPN), and CVE-2025-1907 (Instantel Micromate).

📰 Around the Cyber World

• Prometei Botnet Resurgence in March 2025 — The botnet known as Prometei has been observed in renewed attacks in March 2025, while also incorporating new features. “The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion,” Palo Alto Networks Unit 42 said. Prometei, first spotted in July 2020, is capable of striking both Windows and Linux systems for cryptocurrency mining, credential theft, and data exfiltration. It can also deploy additional malware payloads. In recent years, it has exploited Windows systems unpatched against ProxyLogon flaws. As of March 2023, it was estimated to have compromised more than 10,000 systems since November 2022. “This modular design makes Prometei highly adaptable, as individual components can be updated or replaced without affecting the overall botnet functionality,” Unit 42 said.
• BitoPro Hack Linked to Lazarus Group — Taiwanese cryptocurrency exchange BitoPro claimed the North Korean hacking group Lazarus is behind a cyber attack that led to the theft of $11,000,000 worth of cryptocurrency on May 9, 2025. “The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges. These attacks are attributed to the North Korean hacking organization ‘Lazarus Group,’” the company said. BitPro also revealed the attackers conducted a social engineering attack on a team member responsible for cloud operations to implant malware and remotely access their computer, while evading security monitoring. “They subsequently hijacked AWS Session Tokens to bypass Multi-Factor Authentication (MFA),” it added. “From the AWS environment, they delivered commands via a C2 server to discreetly transfer malicious scripts to the hot wallet host, awaiting an opportunity to launch the attack. After prolonged observation, the hackers specifically targeted the platform during its wallet system upgrade and asset transfer period, simulating normal operational behaviors to launch the attack.” On May 9, the malicious script was executed to transfer cryptocurrency from the hot wallet. BitPro said it shut down its hot wallet system, rotated all cryptographic keys, and isolated and rebuilt affected systems after discovering unusual wallet activity. The heist is the latest to be attributed to the notorious Lazarus Group, which was implicated in the record-breaking $1.5 billion theft from Bybit.
• Microsoft Plans to Clean Up Legacy Drivers — Microsoft said it’s launching a “strategic initiative” to periodically clean up legacy drivers published on Windows Update to reduce security and compatibility risks. “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the Windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” the company said. “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.”
• Mocha Manakin Uses ClickFix to Deliver Node.js Backdoor — A previously undocumented threat actor known as Mocha Manakin has been linked to a new set of attacks that leverage the well-known ClickFix (aka Paste and run or fakeCAPTCHA) as an initial access technique to drop a bespoke Node.js backdoor codenamed NodeInitRAT. “NodeInitRAT allows the adversary to establish persistence and perform reconnaissance activities, such as enumerating principal names and gathering domain details,” Red Canary said. “NodeInitRAT communicates with adversary-controlled servers over HTTP, often through Cloudflare tunnels acting as intermediary infrastructure.” The backdoor comes with capabilities to execute arbitrary commands and deploy additional payloads on compromised systems. The threat actor was first observed by the cybersecurity company in January 2025. It’s assessed that the backdoor overlaps with a Node.js executable used in Interlock ransomware attacks.
• China Targets Russia to Seek War Secrets — State-sponsored hackers from China have repeatedly broken into Russian companies and government agencies to likely look for military secrets since the country’s invasion of Ukraine in 2022. According to The New York Times, intrusions accelerated in May 2022, with one group known as Sanyo impersonating the email addresses of a major Russian engineering firm to gather information on nuclear submarines. In a classified document prepared by the domestic security agency, Russia is said to have claimed that “China is seeking Russian defense expertise and technology and is trying to learn from Russia’s military experience in Ukraine,” calling China an “enemy.” Another threat actor of interest is Mustang Panda, which has expanded its scope to target governmental organizations in Russia and the European Union post the Russo-Ukrainian war.
• CoinMarketCap Website Hacked With Fake “Verify Wallet” Pop-up — CoinMarketCap (CMC), a popular platform for cryptocurrency tracking, disclosed that its website was hacked to serve a “malicious pop-up prompting users to ‘Verify Wallet’” with the goal of draining users digital assets. While it’s currently not clear how the attackers carried out the attack, the company said it has since identified and removed the malicious code from its site. According to Coinspect Security, the drainer was injected via CoinMarketCap’s rotating “Doodles” feature that’s served from the domain api.coinmarketcap[.]com. “CoinMarketCap’s backend API serves manipulated JSON data that injects malicious JavaScript through the rotating ‘doodles’ feature,” the company said. “Not all users see it, since the doodle shown varies per visit. The injected wallet drainer always loads if you visit /doodles/.” Specifically, this involves loading the drainer from the “CoinmarketCLAP” doodle’s JSON file, exploiting a code injection vulnerability that exploits Lottie animation JSON files to inject arbitrary JavaScript from an external site named static.cdnkit[.]io. “On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage,” CoinMarketCap said. “This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visited (sic) our homepage.” CoinMarketCap did not reveal how many users encountered the pop-up or whether any wallets were compromised. However, according to screenshots shared by a threat actor named ReyXBF on X, about $43,266 was siphoned from 110 victims who interacted with the fake wallet verification pop-up. “This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but a third-party tool or resource used by CMC,” c/side said.
• Malicious JavaScript Served via Corrupted Version of jQuery Migrate — In another supply chain threat, cybersecurity researchers discovered a malware infection chain that employed a malicious version of a version of the jQuery Migrate library that had been altered to remotely insert and execute arbitrary JavaScript into the victim’s browser. The first step in the attack was the compromise of a legitimate WordPress site (“tabukchamber[.]sa”), likely either via a vulnerable plugin or compromised credentials, to inject obfuscated logic related to Parrot TDS, which is designed to fingerprint the browser and selectively serve malware to qualifying users based on certain criteria. In this case, one of the tailored JavaScript responses included a dropper script disguised as jquery-migrate-3.4.1.min.js. The attack, per Trellix, unfolded when a senior executive from one of its enterprise clients accessed the WordPress website. “This method of infection shows a well-planned, covert operation focused on blending malware into normal website behavior, leveraging the weakest link – unverified third-party frontend pipelines,” the company said.
• Tesla Wall Connector Hacked to Carry Out Downgrade Attacks — Researchers demonstrated an attack technique that exploited the Tesla Wall Connector, a charger for electric vehicles, to install vulnerable firmware on the device and ultimately execute arbitrary code on the device. The attack takes advantage of the fact that Tesla vehicles can update the charging connector through a charging cable using a proprietary protocol. Synacktiv said it pulled off a successful exploit in approximately 18 minutes due to the “low bandwidth of the SWCAN [Single-Wire Controller Area Network] bus.” To achieve this, a Tesla car simulator was built to communicate with the charger in SWCAN communication mode, enabling them to run the downgrade logic, use Unified Diagnostic Services (UDS) to extract Wi-Fi credentials, and obtain a debug shell. Furthermore, a buffer overflow in the debug shell’s command parsing logic could be exploited to achieve code execution on the device. “Since the Wall Connector is typically connected to a home, hotel, or business network, gaining access to the device could provide a foothold into the private network, potentially allowing lateral movement to other devices,” the company said. Tesla has addressed the issue by implementing an anti-downgrade mechanism, preventing the firmware rollback used in the attack.
• ASRJam Devised to Block Automated Phone Scams — A group of academics from Ben Gurion University of the Negev and Amrita Vishwa Vidyapeetham has developed a new framework called ASRJam that injects adversarial perturbations into a victim’s audio to disrupt an attacker’s Automatic Speech Recognition (ASR) system. Powered by a jamming algorithm dubbed EchoGuard, it leverages natural distortions, such as reverberation and echo, to counter speech recognition systems that are used by attackers to conduct vishing attacks and elicit sensitive information from victims or trick them into performing a malicious action. ASRJam “targets the weakest link in the attacker’s pipeline, speech recognition, disrupting LLM-driven vishing attacks without affecting human intelligibility,” according to the study.
• AnonSecKh Targets Thai Entities After Border Flare-Up — A Cambodian hacktivist group has ramped up cyber attacks against Thai entities following a border skirmish between the two countries late last month that led to the death of a Cambodian soldier. The AnonsecKh group (aka ANON-KH or Bl4ckCyb3r) claimed at least 73 attacks on Thai organizations between May 28 and June 10, 2025. Targets included government websites, followed by entities in the military, manufacturing, and finance sectors. “Their attacks are tightly linked to political incidents and demonstrate a reactive pattern,” Radware said. “The group has shown the ability to launch rapid and intense attack waves.”
• DoJ Seizes Record $225 Million in Crypto Tied to Romance Baiting Scams — The U.S. Department of Justice (DoJ) said it has filed a civil forfeiture complaint seeking to recover over $225 million in cryptocurrency linked to cryptocurrency confidence (aka romance baiting) scams running out of Vietnam and the Philippines, the largest crypto seizure by the U.S. government to date. “The cryptocurrency addresses that held over $225.3 million in cryptocurrency were part of a sophisticated blockchain-based money laundering network that executed hundreds of thousands of transactions and was used to disperse proceeds of cryptocurrency investment fraud across many cryptocurrency addresses and accounts on the blockchain to conceal the source of the illegally obtained funds,” the DoJ said. More than 430 suspected victims are believed to have lost their funds after being duped into believing that they were making legitimate cryptocurrency investments. According to TRM Labs, the scheme involved directing victims to fake investment platforms that impersonated legitimate trading environments, luring them with the promise of high returns. While these services enabled smaller withdrawals, they blocked access or imposed fake tax or fee requirements when victims initiated larger withdrawal requests. As many as 144 accounts at the virtual currency exchange OKX were used for laundering the proceeds of the operation. “These accounts exhibited patterns of coordinated activity, including the use of Vietnamese KYC documents, overlapping IP addresses geolocated in the Philippines, and KYC photographs taken in the same physical setting,” the company said.
• Nigerian National Sent to U.S. Prison for Cyber Scams — Ridwan Adeleke Adepoju, a 33-year-old from Lagos, Nigeria, has been sentenced to three and a half years in federal prison for conducting a variety of cyber fraud schemes that targeted U.S. citizens and businesses, including phishing scams, romance scams, and submitting fraudulent tax returns. “The scams involved multiple spoofed email addresses, fictional social media personas, and unwitting money mules,” the DoJ said. Adepoju was arrested last year in the U.K. and later extradited to the U.S.
• Malicious Firefox Browser Add-ons Spotted — Cybersecurity researchers have uncovered several add-ons in the official extensions marketplace for Mozilla Firefox that is capable of leading users to tech support scam websites through pop-ups related to fake virus alerts and system errors (Shell Shockers io), redirecting Wikipedia traffic to an alternative domain that advertises a proxy service (wikipedia engelsiz giris), and manipulating user engagement metrics on platforms like Facebook by artificially inflating likes and views.
• Smartphones in North Korea Take Screenshots Every 5 Minutes — A smartphone smuggled out of North Korea in late 2024 had been programmed such that it takes a screenshot every five minutes and saves it in a folder, highlighting the extent to which the regime tries to exert its control over citizens, censor information, and indoctrinate people. BBC, which obtained the phone, said the device is engineered to automatically replace forbidden words with their North Korean equivalents, such as substituting the word “South Korea” with the term “Puppet state.”
• U.K. Fines 23andMe for 2023 Data Breach — The U.K. data protection watchdog, the Information Commissioner’s Office (ICO), said it’s fining embattled genomics company 23andMe $3.1 million over its 2023 breach and for failing to implement appropriate security measures to protect the personal information of U.K. users. The 2023 hack allowed unidentified threat actors to conduct a credential stuffing attack between April and September 2023 to gain unauthorized access to personal information belonging to 155,592 U.K. residents, likely revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees, and health reports in the process. The exact nature of the exposed information varied on a per-user basis. The ICO faulted 23andMe for not implementing appropriate authentication and verification measures and for not enforcing controls over access to raw genetic data. It also said the company did not have effective systems in place to “monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.” The ICO further said 23andMe took until the end of 2024 to sufficiently address the security issues that underpinned the credential-stuffing attack.
• More than 46K Grafana Instances Vulnerable to CVE-2025-4123 — More than 46,000 internet-facing Grafana instances are susceptible to a recently disclosed security flaw (CVE-2025-4123 aka The Grafana Ghost) that could permit an attacker to run arbitrary code and take control the victims’ accounts by luring them into clicking URLs that lead to loading a rogue Grafana plugin from a site controlled by the threat actor without requiring any elevated permissions. “The vulnerability also affects Grafana instances running locally by crafting a payload that takes advantage of the locally used domain name and port for the local service,” OX Security said. The disclosure comes as Censys revealed that there are nearly 400 web-based human-machine interfaces (HMIs) exposed to the internet, out of which 40 were fully unauthenticated and controllable by anyone with a browser. A majority of these systems have since been secured. On top of that, almost 35,000 solar power systems from 42 vendors have been detected as publicly exposing their management interfaces over the internet.
• Viasat Hacked by Salt Typhoon — U.S. satellite communications company Viasat has acknowledged that it was targeted by China-linked Salt Typhoon hackers. According to Bloomberg, the breach was discovered earlier this year. Viasat confirmed that it had detected unauthorized access through a compromised device, but said it had found no evidence of impact to customers.
• FreeType Zero-Day Exploited in Paragon Spyware Attacks — A security flaw in FreeType (CVE-2025-27363) was exploited as a zero-day in connection with a Paragon Graphite spyware attack that leveraged WhatsApp as a delivery vector, according to a report from SecurityWeek. In March, WhatsApp revealed that it disrupted a campaign that involved the use of Graphite spyware to target around 90 journalists and civil society members. The vulnerability was addressed by Google last month in Android.
• VADER to Detect and Neutralize Dead Drops — Threat actors are known to leverage legitimate and trusted platforms like Dropbox, Google Drive, and Pastebin as dead drop resolvers (DDRs) to host information that points to the actual command-and-control (C2) servers in a likely effort to sidestep detection and blend in with regular activity within enterprise networks. This also makes the malicious infrastructure more resilient, since the attackers can dynamically change the list of C2 servers, in case the original one is taken down. Enter VADER, short for Vulnerability Analysis for Dead Drop Endpoint Resolution, which aims to improve web application security through proactive Dead Drop Resolver remediation. “Analyzing a dataset of 100,000 malware samples collected in the wild, VADER identified 8,906 DDR malware samples from 110 families that leverage 273 dead drops across seven web applications,” academics from the Georgia Institute of Technology said. “Additionally, it proactively uncovered 57.1% more dead drops spanning 11 web applications.”

🎥 Cybersecurity Webinars

• They’re Faking Your Brand — Stop AI Impersonation Before It Spreads — AI attackers are pretending to be your company, your execs—even your employees. From fake emails to deepfakes, it’s happening fast. In this webinar, Doppel will show how to detect and stop impersonation across the platforms that matter most—before customers or partners are fooled. Join to protect your brand in the age of AI threats.
• AI Agents Are Leaking Data — Learn How to Fix It Fast — AI tools like ChatGPT and Copilot are often linked to Google Drive or SharePoint—but without the right settings, they can leak private files. In this webinar, experts from Sentra break down real examples of how data exposure happens—and what you can do right now to stop it. If your team is using AI, this is a must-watch before something slips through.

🔧 Cybersecurity Tools

• glpwnme — It is a simple, powerful tool to find and exploit known vulnerabilities in GLPI, a widely used IT asset management platform. It helps security teams and pen-testers detect issues like RCEs, plugin flaws, and default credentials across multiple GLPI versions. Ideal for red teaming, bug bounty, or internal audits, glpwnme also supports safe cleanup and plugin enumeration—making it perfect for fast, focused GLPI security checks.
• Debloat — It is a simple tool that removes junk data from bloated executables—often 100–800MB added to evade sandboxing. With both GUI and CLI support, it cleans inflated binaries in seconds using automated detection of common packing tricks. Used by platforms like AssemblyLine and MWDB, it’s ideal for malware analysts and CERT teams who need fast, reliable cleanup before deeper analysis.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

SCCM Can Be a Silent Domain Takeover Tool — Here’s How to Secure It ➝ Microsoft’s System Center Configuration Manager (SCCM) is a powerful tool for managing software and devices across an organization. But because it touches so many systems, it’s also a big security risk if not set up carefully. Attackers who get access to just one user or machine can use SCCM’s Client Push feature to run code remotely on other systems. This often works because SCCM uses service accounts (like Distribution Point or Network Access accounts) that have admin rights on many machines. And if your environment still allows NTLM authentication or unsigned SMB traffic, attackers can quietly hijack these connections using tools like ntlmrelayx or PetitPotam—without triggering alerts.

Many IT teams miss the fact that SCCM setups often rely on shared local admin accounts, allow automatic client installs, and still support outdated security protocols. These common missteps make it easy for attackers to move through your network without being seen. What’s worse, the SCCM database and SMS Provider server, which are central to pushing software and storing credentials, are rarely locked down properly—leaving attackers a clear path to take control.

To protect your network, start by turning off NTLM fallback and turning on SMB signing through Group Policy. Then check which accounts SCCM uses to install clients—remove admin rights where not needed, and rotate those credentials regularly. Make sure the SCCM database uses dedicated service accounts, limits who can connect to it, and monitors logs like ClientPushInstallation.log for anything suspicious. Use tools like LAPS or gMSA to manage local passwords safely, and place SCCM servers in their own network group behind a firewall.

Finally, be careful where you run the SCCM admin console. Avoid using it on everyday laptops or general-use machines. Instead, use a secure, locked-down system just for admin work, and add protections like Credential Guard or use the RunAs /netonly command to keep admin credentials safe. When SCCM is secured properly, it blocks one of the easiest paths attackers use to spread through your network. But if it’s left wide open, it can give them quiet access to almost everything.

Conclusion

If the signals feel louder lately, it’s because they are. Attackers are refining their moves, not reinventing them—and they’re counting on defenders being too busy to notice. Don’t give them that edge. Sharpen your controls, simplify where you can, and keep moving faster than the threat.

Security isn’t just a solo effort—it’s a shared responsibility. If this recap helped you spot something worth a second look, chances are someone else in your network needs to see it too. Share it with your team, peers, or anyone responsible for keeping systems safe. A single overlooked detail in one environment can become the blueprint for risk in another.