Weekly Summary Cyberattacks 26 jun-02 jul

French cybersecurity agency identifies “Houken,” China-linked cyber group exploiting critical vulnerabilities   

The French cybersecurity agency ANSSI has uncovered the operations of an advanced threat group named Houken, active since September 2024. This actor exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance devices to infiltrate strategic sectors in France, including government, telecom, media, finance, and transport. Houken blends publicly available Chinese-developed tools with advanced capabilities, including custom Linux rootkits for remote control and system persistence. It also uses webshells and proxy tunnels on Microsoft Exchange servers. After initial access, the attackers move laterally, steal credentials, and install backdoors. ANSSI links Houken to UNC5174—a group previously tied to China’s Ministry of State Security—based on shared tools, behavior, and infrastructure. Beyond espionage, Houken has also deployed Monero cryptominers, suggesting financial motives. The operation remains active into 2025, and ANSSI warns that it poses a persistent global threat.  

TransferLoader: new phishing threat suggests potential link between TA829 and UNK_GreenSec   

In February 2025, TransferLoader emerged as a new malware downloader tied to phishing campaigns resembling those of the TA829 group, but attributed to UNK_GreenSec. The attack starts with fake job application emails linking to an executable file disguised as a résumé, using advanced evasion and encryption techniques. The malware checks that the filename hasn’t been altered and dynamically resolves Windows API calls via hashed function names to avoid detection. It decrypts next-stage data from specific file sections using custom algorithms. TransferLoader has been seen deploying Metasploit and, in some cases, leading to infections with Morpheus ransomware. Since June, updated versions have appeared with enhanced infrastructure, including AWS links, proxies, and compromised domains. While there is no definitive proof of a direct link between TA829 and UNK_GreenSec, overlapping techniques, infrastructure, and malware suggest a possible operational connection between the two actors. 

Global cyberattacks using NFC data for contactless payments are on the rise   

A new cyberattack method exploiting NFC data, first detected in 2023 in the Czech Republic, has quickly spread worldwide. Researchers have reported a 35-percent increase in NFC-related attacks in the first half of 2025 compared to the previous six months. The scam begins with phishing and malware disguised as banking apps. Using tools like NFCGate and the NGate malware, attackers trick victims into providing sensitive data and then clone their cards to make payments or withdrawals anonymously. Despite some arrests, the threat has evolved into a tactic dubbed “Ghost Tap,” enabling fraudulent contactless payments via cloned digital wallets. Experts urge users to take precautions such as setting contactless payment limits, recognizing phishing attempts, and using reliable cybersecurity solutions.  

Phishing campaign imitates CapCut and Apple to steal credentials and credit cards  

A phishing campaign exploiting CapCut’s popularity to deceive users has been discovered. Fake invoices redirect victims to counterfeit Apple login pages, capturing Apple ID credentials. Following this, users are tricked into providing credit card information under the pretense of a refund. The data is sent to threat-controlled servers. The attack concludes with a fake verification code prompt to delay suspicion and extend the scam. Users are advised to scrutinize URLs and remain cautious of unsolicited data requests.  

British hacker “IntelBroker” arrested in France for global data theft scheme   

Kai West, a 25-year-old British citizen, has been charged by U.S. authorities for leading a global cybercrime operation under the alias “IntelBroker.” According to the Southern District of New York, West and a group known as “CyberN[------]” infiltrated the networks of over 40 victims, including telecom companies, healthcare providers, and ISPs. Through a hacking forum, he offered stolen data at least 158 times, valued at over $2 million, causing worldwide damages exceeding $25 million. West was arrested in France in February 2025, and the U.S. is seeking his extradition. He faces four criminal charges, including computer intrusion and wire fraud, with penalties of up to 20 years in prison. The FBI noted that West was identified as the forum’s “owner” and used Monero cryptocurrency to obscure payments.