Wednesday, Jun 18, 2025 // (IG): BB // GITHUB // SN R&D
Bots Now Account for Majority of Web Traffic, Overwhelming Websites and Skewing Analytics
Bottom Line Up Front (BLUF): A new report reveals that bots now generate more than half of all web traffic, with malicious bots—such as scrapers, credential stuffers, and DDoS tools—making up a significant portion. The surge in automated traffic is disrupting website performance, inflating analytics, and increasing cybersecurity risks for online businesses and services.
Analyst Comments: This growing dominance of bot traffic marks a pivotal challenge for both cybersecurity and digital operations teams. Beyond obvious threats like DDoS and credential stuffing, bots can also distort customer insights, impact SEO rankings, and introduce stealthy scraping or surveillance tools. Many enterprises continue to lack effective bot management strategies, leaving their infrastructure vulnerable to performance degradation and data exfiltration. As AI and automation lower the barrier to entry, we can expect bot sophistication and volume to rise—pressuring organizations to adopt advanced behavioral and threat-intelligence-based defenses.
FROM THE MEDIA: Automated bots are now responsible for over 50% of all global web traffic, according to findings from a new industry analysis. The report categorizes these bots into benign (such as search engine crawlers) and malicious, with bad bots accounting for 32% of all traffic. Malicious bot activity includes tactics such as web scraping, account takeover attempts, ad fraud, and DDoS attacks. Websites across e-commerce, finance, and media are particularly affected, with some experiencing degraded performance and skewed analytics. The research also notes a trend toward “AI-assisted bots” that mimic human behavior, making them harder to detect with traditional filters.
READ THE STORY: The Register
Iran Restricts Internet Access Following Cyberattack on Bank Sepah
Bottom Line Up Front (BLUF): Following a high-profile cyberattack on Bank Sepah, Iranian authorities have imposed nationwide internet restrictions, targeting foreign platforms and slowing or blocking traffic in key provinces. The government cites national security concerns as the reason for the disruptions, which are aimed at limiting the impact of the breach and preventing further intrusions.
Analyst Comments: Iran's recurring use of internet throttling and access restrictions following cyber incidents signals a broader strategy of information containment and digital control, rather than transparent cybersecurity response. While these measures may limit external coordination by threat actors, they also disrupt essential services, stifle public communication, and reduce overall resilience. The attack’s fallout underscores Iran’s growing vulnerability to politically motivated cyber operations and the state’s reliance on network suppression over open incident mitigation.
FROM THE MEDIA: Iran has begun restricting access to parts of the internet in response to the destructive cyberattack on Bank Sepah, allegedly carried out by pro-Israeli hacktivist group Gonjeshke Darande. The disruptions include blocked access to platforms such as WhatsApp, Instagram, and Telegram, and significant traffic throttling across provinces like Tehran, Khuzestan, and Isfahan. The Iranian Ministry of Information and Communications Technology stated that the measures are “temporary” and aimed at preventing "data leakage and external manipulation.” These actions follow a pattern seen in past cyber incidents, such as the 2021 gas station hack, where national-level throttling was also used.
READ THE STORY: THN
China’s Hacking Tournaments Power Cyber-Espionage Machine Behind a Wall of Secrecy
Bottom Line Up Front (BLUF): China’s withdrawal from international hacking competitions like Pwn2Own has led to the rise of domestic tournaments, notably the Tianfu Cup, which now serves as a key feeder for zero-day vulnerabilities used by Chinese intelligence. Since 2018, regulations require Chinese researchers to report all discovered software vulnerabilities directly to the government, transforming these contests into strategic assets for state-sponsored cyber operations.
Analyst Comments: The shift from global to domestic hacking tournaments marks a strategic evolution in China’s cyber doctrine—prioritizing control over vulnerability disclosure and bolstering national offensive cyber capabilities. Unlike Western models, where vulnerabilities are typically reported to vendors for patching, China’s system funnels discoveries into state hands, potentially for espionage or cyberwarfare. This opacity limits international threat visibility and increases the risk of previously unknown exploits being deployed in targeted attacks without warning. The pivot toward hacking Chinese-made systems also aligns with Beijing’s "Delete America" tech decoupling initiative, reinforcing digital sovereignty.
FROM THE MEDIA: China’s dominance at Pwn2Own hacking competitions ended abruptly after 2017, following criticism from cybersecurity magnate Zhou Hongyi, who advocated that Chinese-discovered vulnerabilities should stay in China. In 2018, China launched the Tianfu Cup, its own elite hacking tournament, where vulnerabilities must first be reported to Chinese authorities under new cybersecurity laws. These rules were codified into strict data security regulations in 2021, mandating disclosure within 48 hours to the Ministry of Industry and Information Technology (MIIT), with penalties for noncompliance. According to leaked documents from Chinese firm i-Soon, vulnerabilities from Tianfu Cup have been used by the Ministry of Public Security in operations, including those targeting Uyghur populations. Unlike Western contests, Tianfu Cup findings are rarely shared publicly, fostering a black box around China’s vulnerability ecosystem.
READ THE STORY: Bloomberg
23andMe Faces UK Privacy Fine Amid Sale to Genomics Nonprofit TTAM
Bottom Line Up Front (BLUF): Genetic testing company 23andMe is under regulatory scrutiny after the UK Information Commissioner’s Office (ICO) announced a fine for failing to protect user data during a 2023 breach affecting nearly 7 million users. The penalty comes as 23andMe is being acquired by The Three Allele Model (TTAM), a genomics nonprofit led by Anne Wojcicki, 23andMe’s co-founder.
Analyst Comments: The timing of the ICO fine and the nonprofit acquisition suggests a strategic pivot for 23andMe, potentially aimed at rebuilding public trust after the reputational damage caused by the breach. While the fine highlights European regulators' continued focus on data protection, especially for sensitive genomic data, the move to nonprofit ownership raises questions about long-term data stewardship, transparency, and the organization's handling of previously monetized datasets. Regulators and privacy advocates will likely watch closely for changes in data governance under TTAM.
FROM THE MEDIA: UK’s ICO fined 23andMe for failing to adequately protect user data during a 2023 credential-stuffing attack, which exposed genetic and ancestry data tied to roughly 6.9 million users. Although 23andMe had claimed the breach was due to reused passwords, the regulator found that the company failed to implement sufficient safeguards, especially given the sensitivity of the data involved. Separately, 23andMe announced it will be acquired by The Three Allele Model (TTAM), a newly formed nonprofit focused on genomic research, led by Anne Wojcicki. The transition will involve spinning off 23andMe’s assets, marking a major change from its commercial direct-to-consumer model.
READ THE STORY: The Record
Hackers Claim Cyberattack on Iran’s Bank Sepah, Data Allegedly Destroyed
Bottom Line Up Front (BLUF): Hackers identifying as pro-Israeli claim to have carried out a destructive cyberattack on Iran’s Bank Sepah, alleging they wiped critical data and disrupted operations. The attack, which appears to be part of escalating cyber tensions between Israel and Iran, targeted one of Iran’s oldest and most strategically important financial institutions.
Analyst Comments: The claimed data destruction, if verified, suggests an intent to cripple—not just spy on—Iran’s financial infrastructure, representing a shift toward more overtly damaging tactics. Bank Sepah, long subject to international scrutiny and sanctions, holds financial and symbolic importance, making it a high-value target. Future retaliatory actions from Iranian cyber units or their proxies are likely, and the attack highlights increasing risks to critical financial infrastructure amid geopolitical cyber skirmishes.
FROM THE MEDIA: A group of hackers going by the name “Gonjeshke Darande” (Persian for “Predatory Sparrow”) claimed responsibility for a cyberattack on Bank Sepah, stating that they had accessed and wiped internal systems and backups. The group posted messages on social media and Telegram channels, along with documents allegedly stolen during the attack. While Iranian authorities have not confirmed the extent of the breach, government-linked media acknowledged “technical disruptions” at several bank branches. Bank Sepah plays a central role in Iran’s defense-related financial activities and has been previously sanctioned by the U.S. and U.N. for facilitating military procurement. The incident follows a broader pattern of retaliatory cyberattacks between Iranian and Israeli-linked entities, particularly targeting sensitive sectors like energy, telecom, and finance.
READ THE STORY: Cyberscoop
Google Patches Chrome Zero-Day CVE-2025-2783 Amid Active Exploitation
Bottom Line Up Front (BLUF): Google has released a security update for Chrome to patch a high-severity zero-day vulnerability, CVE-2025-2783, that is already being actively exploited. The flaw, a type of confusion bug in the V8 JavaScript engine, could allow attackers to execute arbitrary code in the context of the browser.
Analyst Comments: The exploitation of CVE-2025-2783 underscores the ongoing attractiveness of browser-based vulnerabilities for both state-sponsored and financially motivated actors. As Chrome is widely used across the enterprise and consumer environments, such flaws offer an effective attack surface for drive-by downloads, phishing payloads, and surveillance implants. The consistent targeting of Chrome's V8 engine also signals attackers’ focus on JavaScript execution paths that can bypass sandboxing or be chained with other vulnerabilities. Rapid patch adoption is critical, as exploitation in the wild has already been confirmed.
FROM THE MEDIA: Google released Chrome version 126.0.6478.126 for Windows, Mac, and Linux to address CVE-2025-2783, a type confusion vulnerability in the V8 JavaScript engine. Discovered by an anonymous researcher, the flaw was reported to Google on June 11, and the company acknowledged it is being actively exploited in the wild. This marks the fourth Chrome zero-day patch in 2025. Although technical details have been withheld to prevent further abuse, type confusion vulnerabilities in V8 typically allow for memory corruption and arbitrary code execution, especially when chained with sandbox escape techniques. Users are urged to update Chrome immediately to mitigate risk.
READ THE STORY: THN
Scattered Spider Shifts Focus to Insurance Sector After High-Profile Retail Attacks
Bottom Line Up Front (BLUF): The financially motivated threat actor Scattered Spider has pivoted from targeting major retail organizations to now launching intrusions against the insurance sector, according to recent alerts from Google’s Mandiant and reports by The Record. The group is leveraging sophisticated social engineering and SIM-swapping techniques to bypass multi-factor authentication (MFA) and gain initial access.
Analyst Comments: Scattered Spider's shift toward insurance companies likely reflects a calculated move toward high-value data stores with lower cybersecurity maturity compared to sectors like finance or healthcare. This actor’s continued reliance on identity-based intrusions underscores the persistent weakness in MFA schemes, especially when used in isolation without strong phishing-resistant mechanisms. Given the sensitivity of data insurers hold—personal, financial, and sometimes health-related—this pivot could lead to more damaging data extortion and ransomware scenarios. Their tactics indicate a deepening operational maturity and a possible trajectory toward targeting critical infrastructure sectors.
FROM THE MEDIA: Google’s Mandiant division has observed a resurgence of Scattered Spider, also tracked as UNC3944, now focusing on insurance providers after a string of successful attacks on major U.S. retailers. The group uses advanced social engineering techniques — including impersonating IT staff, conducting voice phishing, and executing SIM-swapping operations — to bypass MFA and gain access to enterprise environments. Scattered Spider is known for partnering with ransomware affiliates like ALPHV/BlackCat, and their tactics have been linked to both extortion and data theft. Google notes that the group targets identity infrastructure, such as Azure AD and Okta, once inside networks, often exploiting weak authentication flows and cloud misconfigurations. Mandiant warns that the group's long dwell time and lateral movement capabilities pose a significant threat across industry sectors.
READ THE STORY: THN
Amazon Launches Second Batch of Project Kuiper Satellites, Accelerates LEO Internet Deployment
Bottom Line Up Front (BLUF): Amazon successfully launched its second batch of Project Kuiper satellites on June 17, 2025, marking a major step forward in its plan to build a low Earth orbit (LEO) broadband constellation. The company aims to deliver global high-speed internet access and compete directly with SpaceX’s Starlink.
Analyst Comments: With Project Kuiper’s momentum increasing, Amazon is solidifying its position in the satellite broadband race. This launch signals not only technical progress but also growing strategic interest in space-based infrastructure, which has implications for cybersecurity, surveillance, and digital sovereignty. As more commercial LEO networks become operational, protecting these constellations from both physical and cyber threats will be crucial. Expect increased scrutiny from regulators and national security stakeholders as Amazon prepares for customer trials later this year.
FROM THE MEDIA: Amazon launched its second deployment of Kuiper satellites aboard a United Launch Alliance Atlas V rocket, following a successful initial test launch in 2023. The latest batch is part of Amazon’s plan to deploy 3,236 satellites to provide global internet coverage, with service expected to begin by the end of 2025. Project Kuiper’s goal is to close connectivity gaps, especially in underserved regions. Amazon has also announced plans to begin beta testing with enterprise customers before scaling to consumers. This move intensifies the competition with SpaceX’s Starlink and other LEO ventures, including OneWeb and China’s Guowang.
READ THE STORY: The Register
Critical TP-Link Router Vulnerability (CVE-2023-33538) Actively Exploited via Root Command Injection
Bottom Line Up Front (BLUF): CVE-2023-33538 is a critical unauthenticated command injection vulnerability affecting multiple TP-Link router models, including WR940N, WR941ND, and TL-WR841N. The flaw resides in the /cgi?2 endpoint of the router's web management interface and allows remote attackers to execute arbitrary shell commands with root privileges. Exploitation is actively occurring in the wild.
Analyst Comments: This vulnerability represents a textbook example of insecure input handling in embedded web interfaces. The presence of unauthenticated access to a command injection vector significantly lowers the exploitation barrier, making it attractive for botnet operators and APT groups. Given the high install base of these TP-Link models globally, the attack surface is broad—especially since many consumer routers remain unpatched due to user inattention or lack of update mechanisms. We expect CVE-2023-33538 to be incorporated into automated exploit kits and IoT malware frameworks like Mirai variants.
FROM THE MEDIA: Researchers from Zero Day Initiative (ZDI) discovered that TP-Link's firmware processes certain CGI requests without proper input validation, specifically on the /cgi?2 endpoint. Attackers can craft specially formatted HTTP requests to exploit a command parameter, injecting arbitrary shell commands executed with root privileges. The vulnerability has a CVSS score of 9.8 and affects firmware versions used in TP-Link WR940N, WR941ND, and TL-WR841N routers. Proof-of-concept (PoC) exploits are already public, and attackers are leveraging this vector to deploy persistent malware and potentially conscript devices into botnets. TP-Link has released patched firmware, but exploitation continues due to lagging patch adoption among users. Reports indicate attacks have increased notably in the past 30 days.
READ THE STORY: CyberNews
Russia Detects First SuperCard Malware Attacks Exploiting NFC Banking Systems
Bottom Line Up Front (BLUF): Russian cybersecurity agencies have identified the first known attacks involving “SuperCard” malware, a new threat designed to exploit NFC-based contactless banking systems. The malware targets point-of-sale (POS) terminals and smartphones to steal banking data via near-field communication (NFC), marking a significant evolution in financial cybercrime.
Analyst Comments: SuperCard represents a novel leap in banking malware, weaponizing **NFC—a technology often considered safer than traditional card swipes—**to covertly skim payment data. The malware’s sophistication and its targeting of Russia's domestic banking infrastructure suggest it could be leveraged by criminal or state-aligned groups with deep technical capability. As NFC continues to proliferate globally through smartphones and contactless cards, similar malware strains could soon emerge in other regions, especially where mobile payments dominate. Financial institutions should begin reassessing NFC threat models and endpoint protections.
FROM THE MEDIA: Russian cyber authorities have disclosed multiple incidents involving the SuperCard malware, which is capable of harvesting banking credentials and card data transmitted via NFC. The malware targets devices and terminals operating near users conducting contactless payments, extracting information like card numbers and authentication data. While full technical details remain classified, sources indicate the malware uses radio sniffing and device spoofing techniques to intercept transmissions between cards and POS terminals. This marks the first known malware exploiting NFC at this scale in Russia. Analysts warn that this could lead to wider abuse of contactless payment systems and recommend limiting unnecessary NFC functionality on critical devices.
READ THE STORY: The Records
Viasat Confirmed as Target in Salt Typhoon Cyberespionage Linked to Chinese State Actors
Bottom Line Up Front (BLUF): The critical Zyxel vulnerability CVE-2023-28771, previously exploited in a coordinated cyberattack on Denmark’s energy sector, is once again under active exploitation. According to GreyNoise, a sudden surge in attack traffic was observed on June 16, 2025, with over 240 unique IPs attempting exploitation — suggesting renewed botnet activity, likely associated with a Mirai variant.
Analyst Comments: The reemergence of CVE-2023-28771 as a favored attack vector highlights the persistence of attackers in leveraging known but poorly mitigated vulnerabilities in edge and network equipment. The high severity of this bug, combined with UDP-based delivery and probable IP spoofing, makes it attractive for rapid and stealthy botnet expansion. Given the vulnerability's prior use in compromising 22 Danish critical infrastructure organizations, its renewed exploitation raises serious concerns about global operational technology (OT) security, particularly in the energy and telecom sectors.
FROM THE MEDIA: GreyNoise reported a sudden spike in exploitation attempts against Zyxel firewalls and VPN gateways vulnerable to CVE-2023-28771, an improper error message handling flaw allowing remote OS command execution. The burst of activity on June 16 involved 244 unique IPs, mostly targeting the US, UK, Spain, Germany, and India, with all source IPs tied to Verizon Business infrastructure — though traffic analysis suggests spoofing due to the use of UDP on port 500. The vulnerability was initially exploited in May 2023, just weeks after Zyxel released patches, with Denmark’s SektorCERT later confirming that 11 energy companies were breached. The ongoing threat is likely automated, linked to an evolving Mirai botnet, known for targeting IoT and networking devices.
READ THE STORY: Reuters
Pro-Cambodian Hacktivists Target Thai Government in Cyber Retaliation Over Border Clash
Bottom Line Up Front (BLUF): Cambodian hacktivist group AnonsecKh (also known as Bl4ckCyb3r) has launched a wave of cyberattacks against Thai government, military, and private sector websites amid escalating tensions over the Preah Vihear Temple border dispute. At least 73 attacks were claimed in the two weeks following the fatal May 28 skirmish between Cambodian and Thai forces.
Analyst Comments: The shift from targeting just government sites to hitting manufacturing and academic institutions suggests a broader intent to cause reputational and operational disruption. While primarily consisting of DDoS and website defacements, such campaigns risk escalating to more destructive methods, especially if nationalist sentiment fuels cyber escalation. This also underscores the growing threat of digitally enabled asymmetric retaliation from non-state actors in localized conflicts.
FROM THE MEDIA: Cambodian-linked hacktivists began targeting Thai digital infrastructure in March 2025, intensifying their efforts after a Cambodian soldier was killed in a border skirmish near the Preah Vihear Temple on May 28. The group, operating under the moniker AnonsecKh, claimed over 70 cyberattacks by mid-June, targeting high-profile Thai entities including the Ministry of Defense, Ministry of Foreign Affairs, and the Bangkok Metropolitan Administration. Nearly 50% of their attacks have focused on Thai government and military sites, while over 25% targeted manufacturing firms. The group primarily uses DDoS attacks and website defacements, often broadcasting their activity on Telegram. Thai authorities have responded by issuing arrest warrants for alleged group members, as confirmed by the country’s Cyber Crime Investigation Bureau (CCIB).
READ THE STORY: The Records
Zyxel Vulnerability CVE-2023-28771 Resurfaces in Mirai-Linked Attacks Targeting Global Infrastructure
Bottom Line Up Front (BLUF): Satellite communications firm Viasat was reportedly compromised by the Chinese-linked Salt Typhoon cyberespionage group during the 2024 U.S. presidential campaign. While Viasat states that no customer data was impacted and the incident has been remediated, the breach adds to an expanding list of telecom targets allegedly accessed by Chinese intelligence for surveillance and intelligence gathering.
Analyst Comments: The targeting of Viasat by Salt Typhoon highlights the strategic value placed on satellite communications in modern cyber conflict. Unlike earlier campaigns focused on call metadata and mobile networks, compromising a satellite operator like Viasat signals a move toward disrupting or surveilling resilient, high-value communication channels. Given the group's prior focus on telecoms and political figures, the incident reflects a broader geopolitical effort to collect signals intelligence during key democratic processes. This breach also illustrates how cyber campaigns increasingly overlap with election security and global telecom infrastructure.
FROM THE MEDIA: Viasat was named as a victim of the Salt Typhoon cyberespionage campaign attributed to China. The breach, which took place during the 2024 U.S. presidential campaign, was detected earlier this year and has since been investigated by Viasat and third-party security experts. While the company confirmed unauthorized access via a compromised device, it stated no customer data was affected and that the incident had been contained. Salt Typhoon has previously targeted major U.S. telecoms including Verizon, AT&T, and Lumen, stealing audio data and metadata. Officials believe the group gained access to internal telecom networks and leveraged that access to geolocate users and intercept calls. Chinese authorities have denied any involvement.
READ THE STORY: SecurityWeek
Alleged Killer Found Minnesota Lawmaker Using Data Broker Information
Bottom Line Up Front (BLUF): A man accused of killing Minnesota state legislator Rep. Mary Johnson reportedly used commercial data broker services to obtain her home address. The incident has reignited calls for stronger regulations on the sale of personal data, particularly regarding public officials and other high-risk individuals.
Analyst Comments: The ability for individuals—including potential attackers—to easily purchase detailed location data presents significant risks not just to lawmakers, but to journalists, judges, and victims of domestic violence. The incident may catalyze new legislative efforts at both the federal and state levels to curb data broker access and impose stricter opt-out mechanisms or prohibitions for vulnerable individuals.
FROM THE MEDIA: Investigators found that the man charged with murdering Minnesota lawmaker Mary Johnson had purchased her residential address from a data broker, using a credit card and minimal identifying information. Law enforcement confirmed that the suspect did not have a personal connection to the victim but had previously expressed anger toward public officials on social media. The case has drawn bipartisan outrage, with state lawmakers urging immediate reforms to restrict public access to private addresses through commercial data platforms. While some states like California and Vermont have begun regulating data brokers, there is still no comprehensive federal law governing the industry.
READ THE STORY: The Records
Items of interest
Russia–China Military Cooperation Deepens Despite Lack of Formal Alliance
Bottom Line Up Front (BLUF): Russia and China are rapidly expanding military cooperation through joint exercises, technology transfers, and strategic coordination, without entering a formal alliance. A new report from the Center for European Policy Analysis (CEPA) outlines how this "partnership short of alliance" allows both powers to advance shared strategic objectives—particularly against the West—while maintaining flexibility and plausible deniability.
Analyst Comments: The deepening Russia-China military relationship represents a growing security concern for NATO and Indo-Pacific partners. Though not codified through treaty, the collaboration increasingly resembles de facto alignment, particularly in cyber, space, and hybrid operations. This evolving partnership may serve as a force multiplier in crisis scenarios, such as Taiwan or Eastern Europe, where coordination—even if informal—could stretch Western response capabilities. Western intelligence and defense planning should treat this cooperation as a strategic alignment in all but name.
FROM THE MEDIA: While both nations refrain from forming a binding defense pact, the cooperation is increasingly institutionalized through mechanisms like regular high-level defense meetings, naval patrols, and shared threat assessments. The report stresses that China benefits from Russian operational experience, particularly in electronic warfare and battlefield command, while Russia gains access to advanced Chinese surveillance and drone systems. Notably, this coordination avoids triggering formal alliance obligations, allowing strategic ambiguity while signaling unified opposition to U.S.-led security structures.
READ THE STORY: CEPA
How Chinese companies are supporting Russia’s military (Video)
FROM THE MEDIA: In 2022, total bilateral trade between Russia and China hit a record high of $190 billion, up 30% from 2021. 2023 is set to eclipse that figure, with total trade hitting $134 billion in the first seven months. That is prompting concern from Western officials, who say the economic boost – and the trade of specific goods – is giving Moscow a helping hand in its war in Ukraine.
China, Iran, Russia Hold Joint Naval Drill, Eye Military Cooperation Boost (Video)
FROM THE MEDIA: The navies of Iran, Russia and China will hold military drills off the coast of Iran this week in a bid to boost cooperation.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.