Sunday, Jun 22, 2025 // (IG): BB // GITHUB // SN R&D
U.S. B-2 Bombers Strike Iranian Nuclear Sites, Pentagon Braces for Cyber and Kinetic Retaliation
NOTE:
This Iran strike represents the complete breakdown of multilateral diplomacy. It signals that the U.S. is now willing to use unilateral military force to enforce nonproliferation—a dangerous precedent that could unravel decades of international legal frameworks. As a policymaker, you're facing the collapse of the Iran nuclear deal architecture, the failure of sanctions as a policy tool, and the reality that military action is now the primary lever for preventing nuclear proliferation, which sets a catastrophic precedent for how other nuclear crises (North Korea, potential future threats) will be handled. The immediate policy crisis is managing alliance relationships—European allies are expressing "deep concern" because they weren't consulted, potentially fracturing NATO unity at a time when coordination against China and Russia is critical. Domestically, this represents a massive expansion of executive war powers without Congressional authorization, creating constitutional and political crises while forcing immediate decisions about military mobilization, defense spending increases, and potential draft considerations if this escalates to regional war.
Bottom Line Up Front (BLUF): On June 22, 2025, the U.S. launched coordinated airstrikes on Iran’s nuclear sites at Fordow, Natanz, and Isfahan using B-2 stealth bombers and Tomahawk cruise missiles. The Pentagon now anticipates retaliatory action from Iran within 48 hours, including potential missile strikes, cyberattacks, and proxy engagements across the region.
Analyst Comments: The strikes mark a significant escalation in U.S.-Iran tensions and may signal a redefinition of red lines in cyber and kinetic warfare. Iran's advanced ballistic missile arsenal and growing cyber capabilities pose credible threats to U.S. infrastructure and military assets across the Middle East. While the strikes were intended to delay Iran’s nuclear progress, they also risk spurring asymmetric retaliation, including cyberattacks on critical U.S. systems or attacks via proxies like Hezbollah and the Houthis. U.S. forces are already on high alert to defend against potential wiper malware, ICS disruption, and coordinated information warfare campaigns in the cyber domain.
FROM THE MEDIA: U.S. B-2 Spirit bombers deployed from Whiteman AFB executed precision strikes on Iran’s key nuclear facilities using GBU-57 bunker-busting bombs. Fordow, a fortified underground uranium enrichment facility, was the primary target, along with Natanz and Isfahan, which support Iran’s enrichment and conversion programs. Tomahawk cruise missiles from U.S. Navy submarines supplemented the strikes. The Pentagon is now on high alert, with F-22 and F-35 fighters deployed to Qatar and Turkey, THAAD and Aegis systems activated, and cyber defense teams bracing for retaliatory attacks. Iran’s leadership vowed severe punishment, and allied proxy forces, including Hezbollah and Houthi rebels, are reportedly mobilizing. Analysts warn the fallout could reshape regional alliances and global nonproliferation efforts.
READ THE STORY: BM
Pro-Israel Hackers Burn $90M in Nobitex Breach, Escalating Iran’s Crypto and Cyber Crisis
NOTE:
The Nobitex hack is more than just another crypto breach—it marks a turning point in how cyberattacks are used during wartime. We’re seeing not just theft or espionage, but something more targeted and strategic: the deliberate destruction of economic infrastructure. By burning nearly $90 million in digital assets and leaking internal source code, the hackers didn’t just hit a platform—they struck at the financial arteries of a sanctioned state. Iran’s response—a sweeping internet blackout and strict curfews on crypto exchanges—reveals how high the stakes have become.
This wasn’t only a financial operation; it was psychological warfare aimed at eroding user trust and forcing capital flight. With Nobitex’s transaction history reportedly linking it to groups like Hamas and the Houthis, it’s easy to see how a civilian exchange becomes a battlefield. At the same time, real-time prediction markets are turning conflict into something you can bet on. When speculation starts trading side by side with missile strikes and cyberattacks, it’s no longer just war—it’s war as a financial instrument.
Bottom Line Up Front (BLUF): Iran's largest cryptocurrency exchange, Nobitex, suffered a politically motivated cyberattack resulting in the loss of nearly $90 million. The group Predatory Sparrow, previously linked to Israeli cyber interests, claimed responsibility and deliberately burned the stolen assets, framing the attack as a blow to Iran’s financial infrastructure and sanction evasion networks.
Analyst Comments: The Nobitex hack marks a turning point in cyberwarfare where digital assets are targeted not for profit but as strategic assets within geopolitical conflict. By burning funds instead of laundering them, the attackers delivered a symbolic and economic blow to both the Iranian regime and its civilian crypto users. This breach underscores the vulnerability of centralized exchanges in politically sensitive regions and the emergence of crypto platforms as high-value targets in hybrid warfare. Expect future campaigns to blend financial disruption with psychological and reputational impacts, especially as blockchain forensics continue to expose ties between crypto flows and state-sanctioned activities.
FROM THE MEDIA: The attacker compromised hot wallets holding Bitcoin, Ethereum, Dogecoin, Tether, XRP, and others, with estimates of stolen funds ranging from $81.7M to $90M. Predatory Sparrow, the same group that hit Iran’s Bank Sepah a day earlier, claimed credit and published the full Nobitex source code online. Rather than cashing out, the hackers transferred crypto to “vanity burn addresses” labeled with anti-IRGC messages, rendering the assets unrecoverable. Iran's government imposed strict operating curfews on exchanges and initiated internet blackouts, as users faced suspended services and concerns over access to funds. Blockchain analysts have long linked Nobitex to sanctioned actors and militant groups, and the attack may accelerate international scrutiny of crypto's role in state financing.
READ THE STORY: MSN
Israel Confirms Iranian Missile Strike Killed Three, Cyber Retaliation Feared
Bottom Line Up Front (BLUF): Iran launched ballistic missiles into Israel in direct retaliation for U.S. and Israeli strikes on Iranian nuclear facilities. At least three people were killed and several injured. Israeli cyber defense units are now on heightened alert, anticipating cyberattacks on critical national infrastructure as part of a broader asymmetric response from Tehran.
Analyst Comments: Iran's missile response signals a calibrated but forceful warning, demonstrating its intent to retaliate without escalating into a full-scale war—yet. However, Iran’s cyber capabilities, including past intrusions into Israeli water and power systems, suggest further retaliation will likely include digital operations aimed at sowing disruption. The risk of simultaneous kinetic and cyber strikes—especially on military, healthcare, or transportation sectors—remains high in the coming days. With Iran leaning on cyber proxies and plausible deniability, Israel and its allies should brace for persistent, covert campaigns beyond immediate missile exchanges.
FROM THE MEDIA: The missiles reportedly evaded several layers of Israeli air defense systems, raising questions about detection and interception performance. Israeli Prime Minister Benjamin Netanyahu convened an emergency security cabinet meeting and warned of "unprecedented consequences" for any further attacks. The IDF has mobilized reserve units and enhanced cyber monitoring, particularly around national infrastructure networks. Iranian state media framed the attack as “measured,” though experts warn more aggressive cyber and proxy actions may follow.
READ THE STORY: JPOST
OpenVPN Driver Vulnerability (CVE-2025-50054) Allows System Crashes on Windows
Bottom Line Up Front (BLUF): A critical vulnerability in the Windows driver of OpenVPN, identified as CVE-2025-50054, has been patched in the alpha release of OpenVPN 2.7 (2.7_alpha2). The flaw could be exploited to crash affected Windows systems, posing a significant risk to users running vulnerable versions.
Analyst Comments: The flaw's discovery and patching during the alpha testing phase emphasize the importance of proactive testing even outside production deployments. With Windows still a dominant platform in enterprise environments, timely patching is crucial to prevent denial-of-service risks. Future development must prioritize secure driver design, especially with increasing reliance on remote connectivity tools.
FROM THE MEDIA: OpenVPN publicly disclosed and patched CVE-2025-50054, a Windows-specific driver vulnerability capable of triggering system crashes. The newly released OpenVPN 2.7_alpha2 addressed the issue, including architectural enhancements like multi-socket support and DNS improvements. The flaw was fixed in updated Windows MSI packages for the alpha version, but users are warned that production-ready patches may still be pending. Additional improvements in the release include running services as unprivileged users and switching to the win-dco driver for improved security. Despite being an early-stage build, this version underscores OpenVPN’s shift toward hardening performance and security postures.
READ THE STORY: GBhackers
OT Remote Access Security Undergoes Strategic Shift Toward Zero Trust and Risk-Aware Architectures
Bottom Line Up Front (BLUF): As cyber threats targeting industrial environments intensify, operational technology (OT) remote access security is undergoing a major transformation. Industry experts emphasize a shift away from legacy VPN-based models toward Zero Trust Network Access (ZTNA), Identity and Access Management (IAM), and segmented architectures like DMZs. The focus is now on risk-aware, context-driven access with strong identity verification and real-time monitoring.
Analyst Comments: OT environments are facing elevated risk due to legacy infrastructure and increasing geopolitical tensions. The evolution from basic VPNs to modern, identity-driven access models signals a recognition that industrial networks require security tailored to their unique uptime and operational demands. Over the next 3–5 years, AI-enabled threat detection and sector-wide intelligence sharing will become critical components of industrial cyber resilience. Organizations that treat remote access as a strategic capability—not just an IT convenience—will be best positioned to defend against future cyber-physical threats.
FROM THE MEDIA: Experts from Cisco, Xage Security, Dispel, and Takepoint Research outlined how legacy VPN and jump server setups are being phased out in favor of Zero Trust frameworks that enforce least privilege, real-time monitoring, and identity verification. New architectures emphasize secure cloud brokers, centralized session auditing, and adaptive access policies. Regulatory pressures from standards such as NERC CIP, NIST 800-53, and IEC 62443 are accelerating this shift. Executives warned that applying IT security models to OT environments without customization leads to misaligned priorities and operational disruptions. Looking ahead, experts predict that AI-enhanced monitoring and cross-sector collaboration via ISACs will play a pivotal role in ensuring industrial cyber resilience.
READ THE STORY: Industrial
Iran State TV Hijacked by Hacktivists Amid Ongoing Cyber Escalation
Bottom Line Up Front (BLUF): Iran’s state television channel, IRIB, was briefly hijacked mid-broadcast on June 20, 2025, by the hacktivist group Edalat-e-Ali (Justice of Ali). The attackers aired anti-regime messages and images of political prisoners in protest against government repression. This high-profile incident underscores the growing sophistication and visibility of politically motivated cyberattacks in the region.
Analyst Comments: The successful breach of IRIB's live broadcast system signals a significant operational capability of Edalat-e-Ali, suggesting internal vulnerabilities in Iran’s broadcast infrastructure. The group’s messaging strategy aims to erode public confidence in the regime and amplify dissent. This event may lead to stricter Iranian cyber policies and internal crackdowns while raising the profile of hacktivist operations globally. Expect future attacks targeting public trust and national symbolism.
FROM THE MEDIA: The hack occurred during a live program on June 20, interrupting the broadcast with footage of political prisoners and the group's logo. Edalat-e-Ali has previously gained notoriety for leaking surveillance footage from Iranian prisons in 2021. During this latest incident, the group displayed slogans denouncing Supreme Leader Ali Khamenei and calling for justice for victims of political oppression. Iranian state officials acknowledged the breach but downplayed its duration and impact. Cyber experts note that this attack required access to IRIB's internal systems, pointing to potential insider support or significant exploitation of security flaws.
READ THE STORY: THN
Surge in Hacktivist Cyberattacks Signals Escalation in Global Cyberwarfare
Bottom Line Up Front (BLUF): A sharp rise in hacktivist-led cyberattacks has been observed following recent geopolitical tensions, particularly involving Israel and Iran. These attacks mark an escalation in cyberwarfare tactics, with politically motivated actors increasingly targeting state infrastructure, media, and civilian services in symbolic and disruptive campaigns.
Analyst Comments: The resurgence of hacktivist operations reflects the growing overlap between geopolitical conflict and cyberspace, where digital activism can quickly morph into cyberwarfare. Events in the Middle East fuel a proxy battle online, drawing in ideologically aligned groups on both sides. As attribution remains complex and defenses uneven, these cyber skirmishes could escalate, affecting critical services and influencing public sentiment across borders. This trend may prompt governments to reclassify hacktivism from nuisance to national security threat.
FROM THE MEDIA: Pro-Iranian and pro-Israeli cyber groups have launched coordinated operations targeting government websites, public-facing services, and media outlets of rival states. These campaigns include DDoS attacks, website defacements, and data leaks intended to sow confusion and advance political narratives. The report notes that while many of these groups operate independently of state sponsorship, their goals often align closely with national interests, blurring the line between grassroots activism and cyber espionage. Security experts warn that these campaigns could set a precedent for digital escalation in future regional conflicts.
READ THE STORY: GBhackers
Critical Insomnia API Client Vulnerability Enables Remote Code Execution via Template Injection
Bottom Line Up Front (BLUF): A severe vulnerability in the Insomnia API Client, identified as CVE-2025-1087 with a CVSS score of 9.3, allows arbitrary code execution through client-side template injection. The flaw in the latest version (11.2.0) arises from unsafe use of the Nunjucks templating engine and has not yet been fully patched despite multiple mitigation attempts.
Analyst Comments: Exploiting this flaw requires minimal user interaction and can be triggered remotely via vectors like HTTP response cookies. The persistent bypassing of attempted fixes suggests more profound architectural weaknesses in how Insomnia processes untrusted input. Organizations should consider disabling template rendering until a definitive patch is released and avoid interacting with untrusted data through Insomnia.
FROM THE MEDIA: The issue stems from Insomnia’s use of the Nunjucks templating engine, which improperly evaluates user-supplied template expressions like {{7*7}}. Attackers can leverage this to execute arbitrary code using Nunjucks global functions such as joiner.constructor. Exploitation vectors include imported files, user input, and even Set-Cookie HTTP headers, potentially leading to complete system compromise. Despite efforts by developer Kong to sandbox the rendering process, workarounds have consistently been found. Researchers warn users to avoid importing or rendering untrusted data in the application.
READ THE STORY: GBhackers
Argentina Uncovers Russian Spy Ring Fueling Disinformation Campaigns
Bottom Line Up Front (BLUF): Argentina’s intelligence agency has identified a Russian-linked spy ring accused of running coordinated disinformation campaigns to promote Kremlin interests. The group, allegedly tied to Project Lakhta, operated under the guise of a covert organization called “The Company” and worked with local collaborators to influence Argentine public opinion and gather political intelligence.
Analyst Comments: Argentina’s discovery suggests Russia is expanding its information warfare beyond traditional targets like the U.S. and Europe. The tactics resemble previous campaigns seen in the West, including social media manipulation and infiltration of civil society. As Latin American nations strengthen their cyber defenses, we can expect more public disclosures and possible diplomatic friction involving Russian intelligence activity.
FROM THE MEDIA: The ring was allegedly led by Russian nationals Lev Andriashvili and Irina Iakovenko, who collaborated with Argentine citizens to disseminate pro-Russian content and conduct influence operations. Presidential spokesperson Manuel Adorni stated that the group tried to build a local network loyal to Russian interests by organizing focus groups, influencing civic groups, and gathering intelligence. The operation appears linked to Project Lakhta, a Russian interference initiative previously overseen by Wagner Group founder Yevgeny Prigozhin, known for its role in the 2016 U.S. election meddling.
READ THE STORY: The Record
Covert Iranian Operation Targets Israeli Social Media Users in Influence Campaign
Bottom Line Up Front (BLUF): The Foundation for Defense of Democracies (FDD) has uncovered a large-scale Iranian influence campaign instructing users—via the Telegram channel “CAR ONLINE,” on how to impersonate Israelis on X (formerly Twitter) using AI tools like ChatGPT. The campaign seeks to demoralize the Israeli public by disseminating Hebrew-language disinformation and psychological warfare content through coordinated fake accounts.
Analyst Comments: This operation exemplifies the evolution of influence campaigns from overt propaganda to more sophisticated, micro-targeted psychological operations. Iran’s use of fabricated personas and engagement tactics suggests an investment in long-term social manipulation rather than just immediate disruption. As conflicts increasingly spill into digital arenas, such influence operations may have cumulative effects on national morale, political discourse, and civil trust. Governments and platforms must bolster detection and transparency tools to defend against such covert manipulation.
FROM THE MEDIA: Cybersecurity experts have uncovered an Iranian-run influence campaign aimed at Israeli users on social media. The operation involved fake online personas posing as local citizens to infiltrate discussions, share manipulated narratives, and amplify anti-Israel sentiment. Researchers found evidence of coordinated activity across platforms, including X (formerly Twitter), Facebook, and Telegram. These fake accounts often commented on sensitive political topics, shared altered images, and engaged with real users to spread disinformation. The campaign aligns with broader Iranian efforts to destabilize Israeli society through non-kinetic cyber means. No specific group has claimed responsibility, but the tactics mirror those used by known Iranian threat actors in previous operations.
READ THE STORY: GBhackers
Hackers Compromise Over 700 ComfyUI AI Image Generation Servers for Crypto Mining
Bottom Line Up Front (BLUF): Security researchers have uncovered a campaign in which threat actors hijacked more than 700 ComfyUI servers—open-source tools for AI image generation—to deploy crypto miners. The attackers exploited unsecured API endpoints to gain remote access and abuse GPU resources for illicit Monero mining.
Analyst Comments: ComfyUI’s use of high-powered GPUs makes it a lucrative target for cryptojacking. As AI adoption grows, attackers will increasingly target similar platforms for financial gain. Organizations running AI workloads should enforce strict access control and monitor for unauthorized GPU activity.
FROM THE MEDIA: Once located, attackers deployed a Python-based malware that downloaded and launched XMRig, a popular Monero mining application. The malware also included persistence mechanisms and altered configurations to maximize GPU usage. Most of the 700+ compromised servers were running in misconfigured environments without authentication. ComfyUI’s flexibility and support for NVIDIA GPUs made these servers especially attractive for mining operations. Sysdig recommends immediate patching and network isolation for affected nodes.
READ THE STORY: GBhackers
Alleged Ryuk Ransomware Operator Arrested in Ukraine and Extradited to U.S
Bottom Line Up Front (BLUF): Ukrainian authorities have arrested a suspected member of the notorious Ryuk ransomware gang, who has now been extradited to the United States to face cybercrime charges. The individual is accused of participating in a global ransomware campaign that targeted U.S. hospitals, businesses, and government institutions.
Analyst Comments: Ryuk, once among the most prolific ransomware groups, has been largely dormant but remains emblematic of the evolution from individual cybercriminals to organized, transnational ransomware operations. The arrest may provide U.S. authorities with valuable intelligence on Ryuk’s structure, collaborators, and infrastructure, potentially enabling further disruption of legacy and affiliated threat groups.
FROM THE MEDIA: Ukrainian law enforcement detained an unnamed suspect allegedly tied to the Ryuk ransomware gang at the request of the United States. The arrest followed a coordinated investigation involving U.S. federal agencies and Ukrainian cyber police. Ryuk was responsible for ransomware attacks starting in 2018, including high-impact incidents against healthcare providers and municipal governments. The group reportedly extorted hundreds of millions of dollars in ransom payments. The arrested individual is now in U.S. custody and is expected to face federal charges related to computer intrusion, wire fraud, and conspiracy to commit extortion.
READ THE STORY: The Record
Items of interest
Iran Warns Citizens to Delete WhatsApp Amid Cyber Espionage Allegations Against Israel
Bottom Line Up Front (BLUF): Iranian officials have urged citizens to delete WhatsApp, claiming—without presenting evidence—that the app transmits user data to Israel. The warning follows escalating tensions after U.S. and Israeli strikes on Iran's nuclear infrastructure. WhatsApp and its parent company Meta have denied the allegations, emphasizing the platform's end-to-end encryption.
Analyst Comments: Amid rising geopolitical and cyber tensions, states like Iran may exploit fears of foreign surveillance to restrict digital communication and isolate domestic networks. While WhatsApp has previously been exploited through Israeli-developed Pegasus spyware, its current architecture is designed to be secure. However, this situation underlines a broader trend: governments weaponizing cybersecurity narratives to justify censorship or expand control over digital spaces.
FROM THE MEDIA: Iran's government publicly advised citizens to delete WhatsApp, citing concerns that the app secretly transmits user data to Israel. The announcement triggered renewed fears of foreign cyber surveillance during a time of heightened conflict between Israel, the U.S., and Iran. In response, WhatsApp released a statement denying the claims and reaffirming its use of end-to-end encryption, which prevents even the company itself from accessing message contents. The article highlighted Israel’s history of advanced cyber operations, including the Pegasus spyware incident in 2019, which did exploit a vulnerability in WhatsApp. While no recent breach was cited, Iran’s warning reflects broader mistrust of Western platforms and efforts to curtail their domestic usage amid conflict.
READ THE STORY: Cailber
Reverse Engineering WhatsApp Encryption for Chat Manipulation and More (Video)
FROM THE MEDIA: We reverse-engineered WhatsApp web source code and successfully decrypted WhatsApp traffic. During the process, we translated all WhatsApp web functions to Python and created the Burpsuit extension, which you can use to investigate WhatsApp traffic and extend it to find vulnerabilities.
WhatsApp Messenger Runs Arbitrary Python Code (Video)
FROM THE MEDIA: WhatsApp running arbitrary Python code would be a catastrophic security vulnerability that fundamentally breaks the trust model of the world's most widely used messaging platform. This would mean that WhatsApp could execute any Python script on users' devices without their knowledge or consent, giving attackers or even Meta itself unprecedented access to personal data, device controls, camera/microphone access, file systems, and network communications on over 2 billion global devices.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.