Cybersecurity Threats and Trends - 06/24/2025

Today's threat landscape demonstrates the continued sophistication and persistence of both nation-state and criminal cyber operations...

Author

J.W. Croley
June 24, 2025

In partnership with

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

  • Get daily AI news, tools, and tutorials

  • Learn new AI skills you can use at work in 3 mins a day

  • Become 10X more productive

While you were busy arguing with your smart toaster about optimal browning settings, threat actors were busy turning your digital infrastructure into their personal ATM. Welcome to this week's cybersecurity reality check – where the only thing more predictable than your password choices is the inevitability of someone exploiting them.

1. Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor

Primary Threat: A sophisticated threat actor known as TaxOff exploited a zero-day vulnerability in Google Chrome to deploy the Trinper backdoor in targeted attacks.

Risk: HIGH

The Hacker News revealed that a now-patched security flaw in Google Chrome was exploited as a zero-day by the threat actor TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 with a CVSS score of 8.3. Google addressed the flaw after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations. The initial attack vector was a phishing email containing a malicious link disguised as an invitation to the Primakov Readings forum. When victims clicked the link, it triggered a one-click exploit leading to the installation of the Trinper backdoor. Written in C++, the backdoor uses multithreading to capture victim host information, record keystrokes, gather files matching specific extensions, and establish connections with remote servers to receive commands and exfiltrate data.

Detection and Remediation Tips:

  • Update Google Chrome to the latest version immediately across all endpoints

  • Implement browser isolation technology for high-risk browsing activities

  • Deploy advanced endpoint protection with behavioral analysis capabilities

  • Train employees to recognize forum and conference-themed phishing attempts

  • Monitor for indicators of compromise associated with the Trinper backdoor

  • Consider implementing application sandboxing to limit the impact of browser exploits

2. Chinese APT LapDogs Campaign Builds Massive Router Botnet for Espionage

Primary Threat: A China-linked APT has built an operational relay box network of more than 1,000 backdoored SOHO routers for long-term espionage operations.

Risk: HIGH

SecurityWeek reports that a China-linked APT has built an operational relay box (ORB) network of more than 1,000 backdoored nodes for espionage purposes in a prolonged campaign dubbed LapDogs. The campaign has been targeting IT, media, networking, real estate, and other industries in the US and Southeast Asian countries, including Japan, South Korea, Hong Kong, and Taiwan. The threat actor has been infecting small office/home office (SOHO) routers with a custom backdoor named ShortLeash, which provides stealthy, long-term access to compromised devices. Most infected devices are Ruckus Wireless access points and Buffalo Technology AirStation wireless routers running old and unpatched SSH services vulnerable to CVE-2015-1548 and CVE-2017-17663. The campaign likely started in September 2023 and has been gradually growing through methodical operations that infect up to 60 devices per run. SecurityScorecard attributes the campaign to UAT-5918, a Chinese APT that Cisco Talos linked to Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit activities.

Detection and Remediation Tips:

  • Immediately update firmware on all SOHO routers and wireless access points

  • Implement network segmentation to isolate IoT devices from critical systems

  • Monitor network traffic for unusual patterns that could indicate compromise

  • Replace any devices running end-of-life firmware that cannot be updated

  • Enable logging and monitoring for all network infrastructure devices

  • Consider implementing zero-trust network architecture to limit lateral movement

3. FreeType Zero-Day CVE-2025-27363 Exploited by Paragon Spyware in WhatsApp Attacks

Primary Threat: Israeli surveillance solutions provider Paragon exploited a zero-day vulnerability in the FreeType library to deploy Graphite spyware through WhatsApp.

Risk: HIGH

SecurityWeek disclosed that Meta-owned WhatsApp has linked CVE-2025-27363, an out-of-bounds vulnerability in the FreeType open source library, to an exploit developed by Israeli surveillance solutions provider Paragon. The vulnerability, which could lead to arbitrary code execution, was discovered during Meta's investigation into potential channels that threat actors such as spyware firms may be using to deliver malware outside of WhatsApp. The flaw impacts FreeType 2.13.0 and earlier and is triggered when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate too small of a heap buffer, allowing attackers to write up to 6 signed long integers out of bounds. Citizen Lab has found evidence that Paragon's Graphite spyware has been used in countries such as Australia, Canada, Denmark, Italy, Cyprus, Singapore, and Israel. The company is known for developing sophisticated exploits that do not require any interaction from the targeted user.

Detection and Remediation Tips:

  • Update all systems using FreeType library to the latest patched version

  • Implement application sandboxing to limit the impact of font parsing vulnerabilities

  • Monitor for suspicious font file processing activities in security logs

  • Consider implementing additional security controls for document and media processing

  • Review and update incident response procedures for zero-click exploits

  • Deploy advanced threat detection capable of identifying spyware indicators

Did you know...?

The concept of "operational relay boxes" (ORBs) like those used in the LapDogs campaign represents a sophisticated evolution in cyber espionage infrastructure that most organizations completely underestimate. Unlike traditional botnets designed for noisy, disruptive attacks, ORB networks are built for the long game – maintaining stealthy, persistent access to compromised devices that continue functioning normally while secretly serving as stepping stones for intelligence operations. What makes ORBs particularly insidious is their "living off the land" approach: infected routers and IoT devices maintain their legitimate functions while simultaneously providing covert infrastructure for espionage activities. The first documented use of this technique dates back to 2008 when researchers discovered the "GhostNet" operation, which used compromised computers in 103 countries to spy on government offices, businesses, and individuals. However, modern ORB networks have evolved far beyond those early efforts. Today's campaigns like LapDogs can operate for years without detection, gradually building networks of thousands of compromised devices that provide geographic diversity, operational redundancy, and plausible deniability. The beauty of this approach from an attacker's perspective is that each compromised router appears to be just another legitimate internet user, making attribution and detection extremely challenging. For defenders, this means that the humble SOHO router sitting in your office break room could be providing cover for nation-state espionage operations targeting your organization or others in your industry.

4. Aflac Discloses Major Cybersecurity Incident Affecting Customer and Employee Data

Primary Threat: Insurance giant Aflac suffered a sophisticated cyberattack that potentially compromised claims information, health data, and Social Security numbers.

Risk: HIGH

Aflac announced that on June 12, 2025, the company identified suspicious activity on its network in the United States and promptly initiated cyber incident response protocols, stopping the intrusion within hours. The attack was caused by a sophisticated cybercrime group as part of a broader cybercrime campaign against the insurance industry. Preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to the network. The potentially impacted files contain claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in the U.S. business. While the investigation remains in its early stages, Aflac is offering free credit monitoring and identity theft protection, plus Medical Shield for 24 months to any individual who contacts their dedicated call center. The company emphasized that their business remains operational, systems were not affected by ransomware, and they can continue to underwrite policies, review claims, and service customers as usual.

Detection and Remediation Tips:

  • If you're an Aflac customer, contact their dedicated call center at 1-855-361-0305 for free credit monitoring

  • Monitor all financial accounts and credit reports for suspicious activity

  • Enable fraud alerts and credit freezes as an additional precaution

  • Review and strengthen social engineering awareness training for employees

  • Implement multi-factor authentication for all critical business systems

  • Conduct regular security assessments of third-party vendors and partners

5. Record-Breaking Data Breach Exposes 16 Billion Login Credentials

Primary Threat: A colossal data breach has exposed over 16 billion login credentials for Google, Facebook, Apple, and other major platforms in one of the largest credential databases ever discovered.

Risk: CRITICAL

Forbes reported that more than 16 billion login credentials for Google, Facebook, Apple and other platforms have been exposed in one of the largest databases of cybersecurity breaches ever recorded. The file was left entirely unprotected with no encryption, no password protection, and no safeguards – just a plain text document holding millions of sensitive data entries. Cybernews confirmed that this represents a record-breaking data breach opening access to Facebook, Google, Apple, and virtually any other service imaginable. The exposed credentials appear to have been collected through various infostealer malware campaigns over an extended period. Security researchers emphasize that this massive compilation significantly increases the risk of credential stuffing attacks, where cybercriminals use automated tools to test these leaked credentials across multiple platforms and services.

Detection and Remediation Tips:

  • Immediately change passwords for all major online accounts, especially Google, Apple, Facebook, and Microsoft

  • Enable multi-factor authentication on all accounts that support it

  • Use a reputable password manager to generate and store unique passwords for each account

  • Monitor accounts for unauthorized access and enable login notifications where available

  • Consider using passkeys or hardware security keys for high-value accounts

  • Regularly audit and update security settings across all online services

6. DHS Warns of Heightened Iranian Cyber Threats Following US Military Action

Primary Threat: The Department of Homeland Security has issued a National Terrorism Advisory System bulletin warning of increased cyber threats from Iran-linked actors following recent US military strikes.

Risk: HIGH

The Department of Homeland Security warned in a National Terrorism Advisory System bulletin issued June 22, 2025, that the ongoing Iran conflict is causing a heightened threat environment in the United States. Cybersecurity Dive noted that federal officials are warning that pro-Iran hacktivists or state-linked actors may target US critical infrastructure and networks. CNN reported that low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against poorly secured US networks and Internet-connected devices. The bulletin specifically highlights threats to critical infrastructure, with particular concern about attacks on telecommunications, energy, and financial sectors. Sysdig anticipates a spike in cyber activity following the June 22, 2025 United States strikes on Iranian nuclear infrastructure, with potential for both state-sponsored and hacktivist-driven attacks.

Detection and Remediation Tips:

  • Increase monitoring and logging for all critical infrastructure systems

  • Review and test incident response procedures for nation-state attacks

  • Implement additional network segmentation for operational technology systems

  • Enhance threat intelligence sharing with industry partners and government agencies

  • Conduct security assessments of Internet-facing systems and services

  • Prepare for potential distributed denial-of-service attacks and implement mitigation strategies

IN SUMMARY:

The exploitation of zero-day vulnerabilities in widely-used software like Google Chrome and FreeType shows that even the most security-conscious organizations remain vulnerable to determined attackers.

Meanwhile, the LapDogs campaign illustrates how threat actors are building long-term espionage infrastructure using everyday devices that most organizations never consider part of their attack surface.

The Aflac incident reminds us that social engineering remains a highly effective attack vector, while the massive 16 billion credential leak underscores the ongoing challenge of credential security in an interconnected world.

Finally, the heightened Iranian cyber threat following recent geopolitical events serves as a stark reminder that cybersecurity cannot be separated from broader national security

🚨 Key Takeaways:

✔️ Zero-day vulnerabilities in popular software like Chrome and FreeType continue to be actively exploited by sophisticated threat actors.
✔️ Nation-state actors are building massive, stealthy infrastructure networks using compromised SOHO routers and IoT devices.
✔️ Social engineering attacks remain highly effective against even large, well-resourced organizations like major insurance companies.
✔️ Credential security is more critical than ever, with billions of passwords exposed in massive data compilations.
✔️ Geopolitical tensions directly translate to increased cyber threats against critical infrastructure and private sector targets.
✔️ Commercial spyware vendors continue to develop and deploy sophisticated zero-click exploits against high-value targets.

🔎 Immediate Actions:

✔️ Update Google Chrome and all systems using FreeType library to the latest patched versions immediately.
✔️ Change passwords for all major online accounts and enable multi-factor authentication wherever possible.
✔️ Update firmware on all SOHO routers, wireless access points, and IoT devices in your environment.
✔️ Enhance monitoring and logging for critical infrastructure systems given heightened Iranian cyber threats.
✔️ Review and strengthen social engineering awareness training for all employees and contractors.
✔️ Implement network segmentation to isolate IoT devices and limit potential lateral movement by attackers.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Global payroll complexity? Here’s the playbook.

Managing global payroll shouldn’t mean juggling vendors and compliance risks. Deel, recognized in the Gartner® Market Guide for Multicountry Payroll Solutions, helps finance teams automate payments, standardize reporting, and stay compliant in 100+ countries. Get key insights from industry experts to future-proof your payroll strategy.