DigitalXRAID

Threat Pulse – June 2025

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally, and June has been a busy one! Take action to protect your organisation against these prolific threats.  

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.  

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide. 

Surge in Hacktivist‑Driven DDoS Attacks 

Between 21-22 June 2025, hacktivist groups such as Mr Hamza, Mysterious Team Bangladesh, and Keynous+ significantly ramped up DDoS campaigns targeting manufacturing, finance, and government sectors amid geopolitical tensions. Analysts noted an 800% surge in attacks, with many aimed at military/aerospace contractors, evidencing politically motivated disruption in critical sectors. 

Nation‑State Cyber Aggression & AI‑Powered Threats 

Iran–linked hacker groups intensified cyberattacks against US financial and defence sectors post US–Iran strikes. Australian firms were warned to bolster defences against possible Iranian cyber campaigns following regional conflict escalation. Accenture’s June survey found 90% of companies lacked sufficient protections against AI-powered attacks, with 36% conceding that AI threats are outpacing their defences. 

Rise of “Shadow AI” & Generative‑AI Risks 

IBM and others reported a rise in unsanctioned or “shadow AI” deployments, meaning that staff are introducing generative-AI tools not governed by IT. This creates risks of data leakage and compliance failures if organisations don’t take action. Verified at the Infosec Europe event, keynotes emphasised the dangers of generativeAI, deepfakes, and the need for postquantum cryptography. 

EU Digital Sovereignty Push — DNS4EU Launch 

On 9 June  2025, the EU officially launched DNS4EU, a privacy-centric, EUbased DNS resolver service. The aim of DNS4EU is to bolster digital sovereignty and reduce reliance on non-EU infrastructure. 

Russian Hackers Infiltrate Microsoft (June 2025) 

In June, Russian-linked threat actors penetrated Microsoft’s internal systems, gaining access to both staff and customer emails. The breach triggered regulatory scrutiny and prompted Microsoft to notify affected users while reinforcing its internal security protocols.

Chinese State‑Linked Group “Salt Typhoon” Hits Viasat (Mid-June 2025) 

The Chinese APT group known as Salt Typhoon used its kernel-mode rootkit “Demodex” to compromise Viasat’s systems. The incident, confirmed around 17-23 June, highlights a sophisticated global attack campaign targeting telecoms and satellite tech infrastructure.

Cisco Identity Services Engine (ISE) Critical Zero‑Day Advisory (June 26, 2025) 

Cisco released a critical security advisory for its Identity Services Engine and Passive Identity Connector after uncovering a CVE-2025-20281 vulnerability (API unauthenticated remote code execution, CVSS 9.8). All users were advised to urgently apply patches to prevent remote takeover.  

Multiple Healthcare Data Breaches Reported by HIPAA (June 2025) 

In June, nine HIPAAregulated entities, including mental health centres and dental and cardiovascular clinics, reported data breaches affecting at least 500 individuals each. Most incidents were hacking or IT-related. 

FBI: “Play” Ransomware Hits Critical Organisations (Early June 2025) 

US government agencies warned that the Play ransomware gang breached ~900 organisations, notably including critical healthcare providers, through recompiled, stealth-enhanced malware and data extortion tactics. 

MedusaLocker & Datarip Ransomware Activity Noted (June 2025) 

MedusaLocker ransomware was particularly active against manufacturing targets during the month of June. Additionally, a newly identified variant, Datarip, distinguished by its enhanced evasion capabilities, began impacting industrial firms. 

Swiss Bank UBS Hit via Vendor Breach (18 June, 2025) 

UBS confirmed a data leak caused by a cyberattack on Chain IQ, an external procurement services provider. Although no client data was affected, personal details of tens of thousands of UBS employees, including names, emails, phone numbers, and even the CEO’s phone number, were stolen and circulated on the dark web. Chain IQ stated the issue was contained after the attack had impacted them and 19 other firms. 

Scattered Spider Targets Insurance Firms (Mid–Late June 2025) 

The Scattered Spider hacking group shifted focus to insurers, striking Aflac, Erie Indemnity, and Philadelphia Insurance in a narrow time window. Aflac disclosed a 12 June breach, where attackers used social engineering techniques (posing as tech support) to infiltrate systems. Sensitive data like Social Security numbers and health records may have been compromised, although no ransomware was used and operations were unaffected.  

$90 Million Destroyed in Iran Crypto Exchange Attack (June 18, 2025) 

A hacker group linked to anti-Iranian interests announced it destroyed nearly $90 million in cryptocurrency holdings from one of Iran’s largest crypto exchanges and threatened to expose the platform’s source code. 

Glasgow City Council Hacked (June 19, 2025) 

On 19 June, Glasgow City Council discovered malicious activity on third-party servers. As a precaution, they shut down impacted services, including planning applications, school absences, bin schedules, and registrars, to investigate alongside Police Scotland, SC3, and the NCSC. While no financial systems were affected, customer data linked to web forms may have been compromised. The ICO has been notified, and residents are warned to watch for phishing or unsolicited contacts. 

Israeli Hackers Hijack Iran’s State TV Broadcast (June 19, 2025) 

On 19 June, anonymous Israeli-affiliated hackers breached Iran’s state television network (IRIB), briefly interrupting a prime-time broadcast to play footage from Iranian women protesting the hijab. The incident drew widespread attention as a bold cyber-message from foreign actors. 

British Horseracing Sector Ransomware Alert (Mid‑June 2025) 

In mid-June, the British Horseracing Authority (BHA) reported a ransomware infection that disrupted certain digital systems within the sector. The incident served as a stark warning about the vulnerability of sports federations to cyberattacks, even if limited to internal or operational disruptions. 

Global Surge in Education Ransomware & Extortion (Q2 2025 Context) 

The education sector saw a 69% increase in ransomware globally during Q1 2025, with several attacks continuing into June. These attacks involve extortion tactics and high ransom demands averaging around $608K. Notably, extortion attempts also targeted PowerSchool affected school districts. 

46% Surge in Ransomware Across Industrial Sectors 

On 6 June, an industry threat report revealed a 46% increase in ransomware targeting industrial sectors including manufacturing, energy, construction, and agriculture from Q4 2024 to Q1 2025. The report noted a sharp rise in credential-stealing malware, with construction firms among the affected categories. 

Credential-Theft Trojans Target Construction Back-Office Systems 

Security analysts have highlighted a 3000% spike in credential-stealing Trojans. These stealthy malware variants exploit weak access controls typical in construction industry back-office systems, putting project documentation, bidding platforms, and email systems at risk. 

Increased OT Exploitation Risk in Firms with Automation Tools 

Just as manufacturing and utilities firms are vulnerable, construction companies using on-site OT (e.g automated machinery and IoT sensors) are being flagged as high-risk. The same fingerprinted vulnerabilities in building management and SCADA systems threaten sites with remote enabled equipment, especially where digital project tools intersect with industrial devices. 

Scattered Spider Targets Aviation Sector (Mid–Late June 2025) 

In its second appearance in June’s Threat Pulse, the notorious hacking group Scattered Spider – also known as Muddled Libra – significantly ramped up attacks against the aviation and transportation sector. While specific airlines weren’t named, indications are strong that major carriers were hit.

APT Linked Espionage & Intrusion Events 

BladedFeline (Iran-aligned, OilRig sub-cluster)
Targets: Government officials in Iraq and Iraqi Kurdistan
Timeframe: June 2025

TTPs:
Spear-phishing via malicious attachments (T1566)
Deployment of “Whisper” .NET backdoor (T1059.001 / T1059.006)
C2 communication via HTTP(S) (T1071.001)

MITRE ATT&CK Mapping:
Initial Access: Spearphishing Attachment (T1566.001)
Execution: Command and Scripting Interpreter (.NET) (T1059.006)
Persistence & C2: Application Layer Protocol (T1071.001)

Salt Typhoon (China-linked)
Target: Viasat telecom infrastructure
Timeframe: Data breach reported June 20, 2025

TTPs:
Likely stealthy network infiltration
Data exfiltration via encrypted channels (e.g., HTTPS, DNS)

MITRE ATT&CK Mapping:
Initial Access: External Remote Services (T1133) (probable)
Lateral Movement: Remote Services (T1021)
Exfiltration: Exfiltration Over C2 Channel (T1041)

CitrixBleed 2 Exploit
Target: Citrix NetScaler appliances
Timeframe: Actively exploited from mid‑June 2025

TTPs:
Unauthenticated remote code execution via CVE‑2025‑5777
Token theft and session hijacking 

MITRE ATT&CK Mapping:
Initial Access: Exploit Public-Facing Application (T1190)
Credential Access: Exploitation for Credential Access (T1212)
Persistence: Valid Accounts (T1078) (token reuse)

Summary and Observations:
State-sponsored espionage activity was prominent in June.

BladedFeline executed a targeted campaign using spear-phishing and backdoors. Salt Typhoon breached telecom infrastructure with stealth and exfil. CitrixBleed 2 was exploited in-the-wild, granting unauthorised admin access. Malware and ransomware gangs like RansomHub, Qilin, Interlock and Chaos also had significant impact on public and private sectors. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Previous Article

Modernising Your SOC With Microsoft Sentinel

Next Article

Enhancing Threat Detection with Microsoft Defender Experts for XDR

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.