< Back
an exclamation mark indicating a threat

Tags:

Threat intelligence
18 June 2025

Weekly Summary Cyberattacks June 12-18

Active cyberespionage campaign in Spain, France, Portugal, Italy, Belgium and the Netherlands   

A cyberespionage campaign active in Europe has revealed the use of the Sorillus remote access Trojan (RAT), also known as SambaSpy. The attack, attributed to Portuguese-speaking actors, is distributed via phishing emails with fake invoices that redirect to malicious servers via services such as OneDrive, Ngrok and MediaFire. The malware, sold since 2019 as a service, allows spying on webcams, recording audio, stealing data and controlling Windows, macOS and Linux operating systems. Despite the closure of its commercial website in January 2025, hacked versions continue to circulate in forums and social networks. The campaign affects organizations in Spain, France, Portugal, Italy, Belgium and the Netherlands, using messages in several languages and sophisticated evasion techniques. Researchers recommend blocking the associated domains and monitoring or blocking cloud storage and network tunneling services if they are not being used for authorized organizational purposes.  

New cyberespionage campaign by XDSpy group uncovered with updated XDigo malware   

Researchers have uncovered a cyberespionage operation carried out in 2025 by the XDSpy group, targeting governments and strategic entities in Eastern Europe, especially Belarus. The campaign uses a new version of the malicious XDigo implant, deployed via manipulated LNK files that exploit flaws in Windows shortcut scanning. XDigo collects system information, captures screenshots and scans for sensitive files, which it encrypts with AES-256-GCM before exfiltrating them to a C2 server via HTTPS requests. In addition, it can receive encrypted commands from the C2, which are cryptographically signed and validated. Several versions of XDigo have been identified, some with additional credential-stealing capabilities. The infrastructure used exhibits advanced evasion techniques, including redirects to artificial intelligence files to mislead analysts. The repeated use of unique patterns and common tools allows linking this campaign to previous XDSpy operations, active since at least 2020. 

Cyberattack compromises more than 269,000 websites with malicious code   

Cybersecurity researchers have detected a large-scale campaign that has affected more than 269,000 legitimate websites by injecting malicious JavaScript code. The attack, which peaked on April 12, 2025, with more than 50,000 sites compromised in a single day, uses an obfuscation technique known as JSFireTruck, based on character-limited encoding that makes it difficult to analyze. The malicious code checks whether the visitor comes from search engines such as Google or Bing and, if so, redirects the user to dangerous sites that may distribute malware or display malicious advertising.  

Fog ransomware attack reveals unusual tools and possible espionage purposes   

A May 2025 attack on a financial institution in Asia has drawn attention for its use of the Fog ransomware along with an unusual set of tools. These include Syteca, a legitimate employee monitoring software, and open source pentesting utilities such as GC2, Stowaway and Adaptix, never before seen in ransomware attacks. The attackers stayed on the network for two weeks before deploying the malware and, unlike usual, established persistence after infection. They also employed tools such as PsExec and SMBExec to move laterally, and programs such as MegaSync and FreeFileSync to steal information. The use of espionage-oriented tools and the prolonged stay on the system suggest that the ransomware could have been a distraction or a secondary means of profit in a possibly more complex targeted attack.  

New malware detected impersonating DeepSeek to spy on web browsing   

A new malware campaign has been discovered using a fake website that spoofs the popular DeepSeek-R1 artificial intelligence, taking advantage of its growing demand. The attackers have resorted to malvertising on Google Ads to position a fraudulent page as if it were the official one, tricking users into downloading a malicious installer. Executing the file starts a chain of infections that culminates in the installation of an implant called BrowserVenom, designed to redirect all user web traffic through a proxy controlled by the cybercriminals. This allows them to intercept, manipulate and spy on browsing activity. The code of the malicious websites contains annotations in Russian, which targets Russian-speaking developers. The attack particularly affects users of Windows systems and requires administrator privileges to fully execute its malicious payload. Infections have been detected in several countries, including Mexico, Brazil and India. Authorities recommend carefully verifying web addresses and certificates before downloading AI-related software.