Friday, Jun 06, 2025 // (IG): BB // GITHUB // SN R&D
Microsoft Launches European Security Program to Counter Cyber Threats
Bottom Line Up Front (BLUF): Microsoft has announced a new European Security Program aimed at bolstering cybersecurity resilience for European customers. The initiative focuses on regional threat intelligence sharing, supply chain security, and collaborative incident response to address growing geopolitical risks and regulatory pressures.
Analyst Comments: This move reflects mounting concerns about state-sponsored cyberattacks in Europe, especially from Russia and China, and the need to align with EU cybersecurity directives like NIS2 and the Cyber Resilience Act. By establishing localized security operations and partnerships with European agencies, Microsoft seeks to reassure policymakers and customers that it is committed to data sovereignty and regulatory compliance. The program also aligns with broader efforts to reduce reliance on non-European cloud providers and improve supply chain transparency.
FROM THE MEDIA: Microsoft unveiled its European Security Program at the RSA Conference, citing increased cyber threats targeting critical infrastructure and European governments. The program will provide advanced threat intelligence sharing with local authorities, enhance support for incident response, and offer supply chain risk management solutions. Microsoft emphasized collaboration with European regulators and stakeholders to meet new compliance requirements under NIS2 and other frameworks. The company also pledged to expand regional security operations centers to improve rapid detection and mitigation of threats.
READ THE STORY: The Record
Iranian APT ‘BladedFeline’ Remains Hidden in Networks for 8 Years
Bottom Line Up Front (BLUF): ESET researchers have uncovered the Iranian state-sponsored group "BladedFeline," which has stealthily operated in networks across the Middle East, Europe, and Asia for nearly eight years. The group targets critical infrastructure and energy sectors using a sophisticated custom backdoor, advanced obfuscation, and living-off-the-land tactics to maintain long-term persistence and evade detection.
Analyst Comments: BladedFeline’s extended dwell time highlights the group’s high level of operational security and commitment to espionage. Their reliance on fileless techniques, Windows process injection, and dynamic command-and-control infrastructure makes them particularly difficult to detect with standard endpoint security solutions. The group’s use of compromised infrastructure and dynamic DNS for C2 further complicates attribution and mitigation. BladedFeline’s sophisticated tradecraft suggests a well-resourced, nation-state-level adversary intent on gathering strategic intelligence and potentially preparing for sabotage.
FROM THE MEDIA: The malware’s design focuses on maintaining a minimal footprint, using legitimate administrative tools such as PowerShell and Windows Management Instrumentation (WMI) to blend in with normal network activity. ESET researchers also found evidence of dynamic DNS services being used to hide C2 servers, along with the use of compromised third-party sites to mask activity. BladedFeline’s tactics, techniques, and procedures (TTPs) align with those commonly seen in other Iranian APT operations, including strategic targeting of key infrastructure to support broader geopolitical goals. ESET’s research emphasizes the importance of continuous threat hunting and advanced monitoring to counter such persistent threats.
READ THE STORY: GBhackers
Cellebrite to Acquire Corellium, Expanding Mobile Forensics Portfolio
Bottom Line Up Front (BLUF): Cellebrite has announced its plan to acquire Corellium, a startup known for its advanced iOS and Android device virtualization and research tools. The move aims to strengthen Cellebrite's mobile forensics capabilities, expand product offerings for law enforcement and enterprise customers, and enhance testing and analysis of mobile vulnerabilities.
Analyst Comments: Corellium's virtualized testing environment complements Cellebrite’s extraction and analysis technologies, offering a more comprehensive toolkit for investigating mobile devices. However, the merger could raise concerns about privacy, particularly given Corellium’s controversial legal battles with Apple over iOS device emulation. Additionally, regulators may examine the deal for potential antitrust implications in the mobile security market.
FROM THE MEDIA: Cellebrite announced its acquisition of Corellium on June 5, 2025. Corellium, known for its virtualized mobile device testing and security research tools, has faced litigation from Apple over alleged copyright infringement. Cellebrite’s CEO described the acquisition as a strategic move to provide customers with a more powerful and integrated mobile forensics platform. The merger is expected to close in the second half of 2025, pending regulatory approvals. Financial terms were not disclosed, but the deal signals Cellebrite’s commitment to expanding its capabilities in mobile device investigation and vulnerability research.
READ THE STORY: The Register
ONCD Nominee Faces Senate Scrutiny Over Cybersecurity Strategy
Bottom Line Up Front (BLUF): Sean Cairncross, the Biden administration’s nominee for the Office of the National Cyber Director (ONCD), faced tough questions from the Senate Homeland Security Committee during his confirmation hearing. Lawmakers pressed him on his plans to enhance the nation’s cybersecurity posture, particularly in light of escalating threats from China, Russia, and ransomware actors.
Analyst Comments: Senators focused on the nominee’s commitment to zero-trust architectures, software supply chain security, and public-private collaboration. Cairncross’s responses emphasized balancing regulatory measures with fostering innovation, reflecting the administration’s broader cybersecurity strategy. His background in international development and technology policy could influence ONCD’s approach to threat intelligence sharing and critical infrastructure resilience.
FROM THE MEDIA: Cairncross highlighted the importance of harmonizing cybersecurity standards across federal agencies and promoting collaboration with industry to defend against sophisticated cyber threats. He also acknowledged the need for improved incident response coordination and outlined priorities for advancing national cyber resilience. Several senators questioned how Cairncross would ensure accountability and transparency, especially amid increasing ransomware attacks and geopolitical cyber threats. His confirmation remains pending a full Senate vote.
READ THE STORY: The Record
Critical Apache Tomcat DoS Vulnerability Exploited in the Wild (CVE-2025-31650)
Bottom Line Up Front (BLUF): A critical denial-of-service (DoS) vulnerability (CVE-2025-31650) in Apache Tomcat's HTTP/2 implementation has been discovered and is actively exploited in the wild. The flaw, rated 7.5 on the CVSS scale, can be weaponized to exhaust server resources, rendering web applications and services unavailable.
Analyst Comments: Apache Tomcat’s widespread adoption in enterprise environments makes this a significant risk, especially for organizations that rely on its default HTTP/2 support for high-performance web applications. Administrators should prioritize patching and monitor for unusual traffic patterns that could indicate exploitation attempts. Threat actors, including ransomware operators and botnet herders, are likely to incorporate this exploit into automated attack frameworks due to its potential for wide-reaching disruption.
FROM THE MEDIA: The flaw results from inefficient stream lifecycle handling in the affected Tomcat versions (10.1.8, 9.0.73, and 8.5.96). Proof-of-concept (PoC) code demonstrating the attack was released on GitHub on June 5, accelerating exploitation by threat actors. Apache has released patches addressing the issue, urging all users to update immediately. The vulnerability affects Tomcat’s default configurations, meaning even out-of-the-box deployments are at risk. Researchers have observed active exploitation attempts in the wild, indicating that attackers are quick to integrate newly disclosed vulnerabilities into their campaigns.
READ THE STORY: GBhackers
Backdoored Python and NPM Packages Found in Popular Repositories
Bottom Line Up Front (BLUF): Researchers have uncovered multiple backdoored packages in PyPI and NPM repositories, which risk compromising developer systems and supply chains. The malware includes credential stealers and remote access trojans (RATs), underscoring persistent threats to open-source ecosystems.
Analyst Comments: This discovery highlights ongoing challenges in securing open-source software repositories, where malicious actors exploit the trust inherent in community-driven package ecosystems. The presence of credential-stealing malware and RATs demonstrates the evolving sophistication of supply chain attacks. As development teams increasingly rely on third-party packages, robust validation and monitoring mechanisms must be prioritized to mitigate these risks.
FROM THE MEDIA: The packages appeared legitimate at first glance but included hidden malware components that harvested data and granted remote access. Researchers identified the infected packages by analyzing suspicious code and reports from developers who noticed anomalous behaviors. The incident has prompted calls for stricter vetting and improved automated scanning processes in public repositories to prevent future supply chain compromises.
READ THE STORY: The Register
Chaos RAT Malware Targets Windows and Linux Systems in New Global Campaign
Bottom Line Up Front (BLUF): Researchers have identified a new campaign using Chaos Remote Access Trojan (RAT) to target both Windows and Linux systems. Written in Golang for cross-platform support, this malware leverages advanced obfuscation and modular features to conduct extensive post-exploitation activities, including data theft, remote command execution, and network reconnaissance.
Analyst Comments: By using Golang, attackers have developed a single codebase that compiles to multiple operating systems, allowing seamless deployment in mixed Windows-Linux environments—a common scenario in modern enterprise networks. The malware’s modular design, featuring dynamic plugin loading for additional functionality, means attackers can tailor attacks to specific victims, selecting capabilities like privilege escalation, data exfiltration, and network reconnaissance as needed. This level of customization increases the difficulty of detection and containment, particularly in organizations relying on signature-based defenses alone. Security teams should therefore prioritize behavior-based detection, anomaly monitoring, and robust endpoint protection to counter such versatile threats.
FROM THE MEDIA: FBI and Secret Service coordinated a joint operation to seize the domain of AVCheck, a platform widely used by cybercriminals to test malware samples against popular antivirus solutions. AVCheck enabled attackers to refine malware to evade detection, making it a key step in many malware campaigns. The takedown was the result of international law enforcement cooperation and highlights the importance of targeting enablers of cybercrime rather than solely focusing on direct malware operators. The domain seizure aims to significantly disrupt the malware testing process and reduce cybercriminals’ ability to launch successful attacks.
READ THE STORY: THN
Ukraine's Drone Strikes on Russian Strategic Bombers Undermine Russia's Air Deterrence
Bottom Line Up Front (BLUF): Ukraine launched coordinated drone attacks on Russian air bases, reportedly damaging or destroying a significant portion of Moscow’s strategic Tupolev bomber fleet. This setback challenges Russia’s capacity to launch long-range missile strikes and weakens its nuclear deterrent posture.
Analyst Comments: Ukraine’s growing proficiency in long-range drone warfare and strategic targeting, highlighting Russia’s vulnerability even deep inside its own territory. The loss of strategic bombers like the Tu-95 and Tu-22M — essential for conventional and nuclear strike capabilities — forces Russia to reassess how it defends these assets and conducts its air operations. The strikes also strain Russia’s logistics and air defense systems, already stretched by ongoing operations. In the long term, the attacks could embolden other nations to consider drones as an asymmetric threat against high-value strategic targets, reshaping air force doctrine worldwide.
FROM THE MEDIA: Ukraine’s Security Service (SBU) coordinated attacks that damaged or destroyed dozens of Russian Tupolev bombers at multiple airfields, some as far as 3,000 miles from Kyiv. The attacks reportedly targeted aircraft parked outdoors in accordance with nuclear arms treaties. While Russia acknowledged some damage, independent analysis suggests that up to 40 bombers were affected. Ukraine’s President Zelensky personally authorized the strikes, citing repeated Russian attacks on Ukrainian civilian infrastructure. Russia is now expected to invest heavily in hardening air defenses and moving strategic assets to less vulnerable locations.
READ THE STORY: The Record
Broadcom Reports Strong Q2 2025 Results Driven by AI, Network, and Server Demand
Bottom Line Up Front (BLUF): Broadcom’s Q2 2025 earnings surpassed expectations with revenue of $12.5 billion, driven by high demand for AI chips, networking, and server components. The company's CEO highlighted AI-related products as key growth drivers, offsetting slower sales in broadband and mobile segments.
Analyst Comments: Broadcom’s focus on AI and infrastructure markets continues to pay off, positioning the company as a key supplier for hyperscalers and enterprise customers building out generative AI and data center capabilities. The steady growth in high-margin AI accelerators and networking solutions suggests Broadcom is well-positioned to weather cyclical downturns in other segments. Expect continued investment in AI supply chain resilience and software integration to bolster these high-growth opportunities.
FROM THE MEDIA: CEO Hock Tan credited generative AI adoption and increased spending on server and network infrastructure as key growth factors. While broadband and mobile chip sales were down, AI-related products, such as custom silicon for hyperscalers, saw significant traction. The company also announced its $61 billion VMware acquisition is expected to close later this year, expanding its software business. Broadcom’s stock rose 4% in after-hours trading following the earnings release.
READ THE STORY: The Register
Paste.ee Abused by Threat Actors to Spread XWorm and AsyncRAT Malware
Bottom Line Up Front (BLUF): Cybercriminals are exploiting the text-sharing platform Paste.ee to distribute malware payloads, including XWorm and AsyncRAT. This technique leverages publicly accessible pastebins to host malicious code, enabling threat actors to bypass conventional defenses and conduct large-scale malware campaigns.
Analyst Comments: Using pastebin-like services for malware delivery is a long-standing tactic that persists due to the trust placed in legitimate platforms. Paste.ee’s features, including code sharing and privacy settings, make it a convenient medium for hosting obfuscated scripts, droppers, and dynamic malware configurations. The abuse of such platforms allows attackers to update payloads without relying on compromised servers, complicating detection and takedown efforts. Organizations should implement strict content inspection for web traffic and block known malicious pastebin URLs to mitigate this threat.
FROM THE MEDIA: These scripts are then downloaded and executed on target machines, deploying XWorm—a powerful remote access Trojan—and AsyncRAT, a versatile RAT often used in data exfiltration and surveillance operations. The attacks use phishing campaigns to trick users into executing the payloads, which are dynamically updated through Paste.ee to evade detection. Security researchers highlighted that the malware hosted on Paste.ee has been observed communicating with known command-and-control (C2) servers and deploying additional malicious modules post-execution. As threat actors continue to innovate, defenders must remain vigilant in monitoring internet traffic for suspicious pastebin usage.
READ THE STORY: GBhackers
Critical Cisco Identity Services Engine Vulnerability Allows Unauthenticated Remote Access
Bottom Line Up Front (BLUF): Researchers have identified a new campaign using Chaos Remote Access Trojan (RAT) to target both Windows and Linux systems. Written in Golang for cross-platform support, this malware leverages advanced obfuscation and modular features to conduct extensive post-exploitation activities, including data theft, remote command execution, and network reconnaissance.
Analyst Comments: Attackers can exploit the flaw by crafting specially crafted HTTP requests that bypass authentication checks, effectively granting them administrative privileges. Once exploited, an attacker could alter network policies, pivot deeper into corporate environments, or disrupt network services entirely. Given that Cisco ISE is often a linchpin in enterprise network access control, this vulnerability poses a significant risk to large-scale corporate environments. Security professionals should urgently apply Cisco’s recommended mitigations, which include updating to a patched version and restricting remote access where possible. Additionally, implementing robust network segmentation and monitoring for anomalous administrative activities are crucial steps to limit potential damage.
FROM THE MEDIA: The vulnerability was discovered by security researcher Pedro Ribeiro of Agile Information Security and reported to Cisco’s Product Security Incident Response Team. Cisco has issued a security advisory detailing affected versions and providing hotfixes to address the flaw. The vulnerability allows remote attackers to send manipulated HTTP requests that trick the ISE web server into granting unauthenticated administrative access. The issue is rated critical, with a CVSS score of 9.8, reflecting its potential for widespread exploitation and impact. Cisco emphasized that there is no known public exploit yet but urged immediate patching due to the high risk.
READ THE STORY: THN
Google Alerts on Cybercriminal Exploitation of Salesforce Apps
Bottom Line Up Front (BLUF): Google’s Threat Analysis Group (TAG) has issued a warning that threat actors are exploiting Salesforce’s cloud-based application platform to distribute malware and phishing campaigns. Attackers are embedding malicious scripts in Salesforce’s infrastructure to evade detection and compromise targets.
Analyst Comments: The use of legitimate Salesforce domains enables threat actors to exploit users’ trust and corporate whitelisting of cloud services. As organizations increasingly integrate with cloud-based CRM and productivity apps, security teams must scrutinize third-party integrations and enforce rigorous controls to prevent supply-chain compromise.
FROM THE MEDIA: This technique makes phishing links appear legitimate and difficult to block. Google’s TAG urges organizations to review app permissions and implement strict domain controls to detect and prevent such abuse. Salesforce is reportedly working with Google to mitigate the threat and educate users on safe usage practices.
READ THE STORY: The Record
Items of interest
U.S. Offers $10M Bounty for Russian Hacker Linked to FSB
Bottom Line Up Front (BLUF): The U.S. State Department’s Rewards for Justice program is offering up to $10 million for information leading to the arrest of Maxim Rudometov, a Russian national accused of working with the FSB to target critical U.S. infrastructure with cyberattacks.
Analyst Comments: The bounty reflects ongoing U.S. efforts to disrupt state-sponsored cyber operations targeting critical sectors, highlighting a shift toward incentivizing actionable intelligence from global sources. Rudometov’s alleged links to the FSB’s cyber-espionage units underscore the blurred lines between Russian state actors and criminal proxies. The move signals a commitment to hold individuals accountable even as broader geopolitical tensions remain high.
FROM THE MEDIA: Maxim Rudometov, linked to Russia’s FSB and accused of targeting U.S. critical infrastructure, is now subject to a $10 million bounty under the Rewards for Justice program. According to the U.S. State Department, Rudometov and his team used malware and spearphishing to gain access to networks supporting water, energy, and emergency services. The bounty underscores Washington’s strategy to deter state-sponsored cyberattacks by incentivizing whistleblowers and informants. Russian officials did not comment on the allegations.
READ THE STORY: The Register
U.S. Joins International Action Against RedLine and META Infostealers (Video)
FROM THE MEDIA: RedLine and META Infostealers stole information from millions of victims around the world; U.S. complaint charges developer and administrator; U.S. law enforcement seizes infrastructure.
Infostealer malware is out to get you (Video)
FROM THE MEDIA: The threat of infostealer malware is widespread and difficult to eliminate, but awareness, cautious online behavior, and robust security practices can help mitigate risks.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.