< Back
Malicious hacker in front of a screen

Tags:

Threat intelligence
11 June 2025

Weekly Summary Cyberattacks June 5-11

FIN6 uses fake job offers to download malware from the cloud   

The FIN6 threat group, also known as Skeleton Spider, has stepped up its criminal activity through phishing campaigns targeting recruiters, pretending to be job applicants on platforms such as LinkedIn or Indeed. These threat actors employ domains that mimic real names to send emails with links disguised as resumes. To bypass automated security filters, the messages do not contain clickable hyperlinks, but web addresses that recipients must copy and manually type into the browser. After overcoming barriers such as CAPTCHAs and IP and operating system filters, victims access sites hosted on trusted infrastructure such as AWS, which downloads a ZIP file with a hidden malware: more_eggs. This malware, which enables credential theft and additional attacks, is distributed using disguised .LNK files and techniques that make it difficult to detect. FIN6 leverages cloud services, domain registration anonymity and evasive methods to keep its infrastructure active and avoid security scans. Researchers warn of the need to reinforce technical controls and train HR personnel to prevent this type of attack.  

NHS launches urgent appeal for blood donations after cyber-attack   

The British National Health Service (NHS) has launched an urgent appeal for one million people in England to donate blood this week as stocks remain low following a cyber-attack last year. Only 2% of the population is currently holding the required levels of blood, and it is warning of the risk of reaching a red alert, which would mean that demand exceeds supply capacity, endangering public safety. The situation was exacerbated by a ransomware attack, which disrupted pathology services and forced hospitals to resort more frequently to type O blood, the safest type for emergency transfusions. This left the national reserves in a very fragile situation. In addition, many of the more than 900,000 patients affected have yet to be informed of what personal data was exposed, including highly sensitive details of serious illnesses.  

OpenAI blocks ChatGPT accounts used by hackers from Russia, China and Iran   

OpenAI has suspended ChatGPT accounts used by threat actors from Russia, China and Iran who used artificial intelligence to support illegal cyber activities. These included malware development, social network automation and intelligence gathering on U.S. satellite communication technologies. One of the Russian groups, using multiple disposable accounts, perfected malware in the Go programming language and then disseminated it disguised as a legitimate video game tool. The code stole browser data and evaded defense systems. Two Chinese groups, APT5 and APT15, used the model for tasks such as Linux system administration, software development, brute-force attacks on FTP servers and automated manipulation of social networks. Operations linked to North Korea, the Philippines, Cambodia and Iran were also detected using ChatGPT for disinformation campaigns and labor scams in multiple languages. OpenAI stressed that none of these activities were massive, but they demonstrate the potential abuse of AI by threat actors.  

Sophisticated attack on high-profile iPhones detected in the U.S. and Europe   

Cybersecurity researchers have uncovered evidence of exploitation of a critical vulnerability in iPhones through zero-click attacks via iMessage, targeting individuals linked to political campaigns, media, governments and artificial intelligence companies in the U.S. and the European Union. The vulnerability, dubbed “NICKNAME”, affected the “imagent” process of the iOS operating system and was fixed by Apple in version 18.3.1. Although exploitation cannot be confirmed with certainty, researchers detected anomalous behavior patterns, such as extremely rare crashes and massive file deletions, on six devices belonging to high-value targets. Two of them showed clear signs of having been compromised. The investigation suggests that the threat persists and underscores the need to strengthen mobile security even on platforms considered secure.

New variant of Chaos RAT, a legitimate software turned cyberattack tool, detected   

Researchers have discovered new variants of the Chaos RAT malware, an open-source remote administration tool written in Go, which has been reused by cybercriminals to spy, steal information and prepare ransomware attacks. Although its use is still limited, its low detection rate and compatibility with Windows and Linux systems make it a stealth threat. One of the most recent attacks tricked victims into downloading a fake network diagnostic utility on Linux. In addition, a critical vulnerability was identified in Chaos RAT's own control panel, which allows remote code execution, and was even exploited in a demonstration that played the song “Never Gonna Give You Up.” This situation illustrates how open-source software, although legitimate, can become a danger when it falls into malicious hands.