- Mycomputerspot Security Newsletter
- Posts
- Cybersecurity Threats and Trends - 06/24/2025
Cybersecurity Threats and Trends - 06/24/2025
Today's threat landscape demonstrates the continued sophistication and persistence of both nation-state and criminal cyber operations...
Start learning AI in 2025
Keeping up with AI is hard – we get it!
That’s why over 1M professionals read Superhuman AI to stay ahead.
Get daily AI news, tools, and tutorials
Learn new AI skills you can use at work in 3 mins a day
Become 10X more productive

While you were busy arguing with your smart toaster about optimal browning settings, threat actors were busy turning your digital infrastructure into their personal ATM. Welcome to this week's cybersecurity reality check – where the only thing more predictable than your password choices is the inevitability of someone exploiting them.
1. Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor
Primary Threat: A sophisticated threat actor known as TaxOff exploited a zero-day vulnerability in Google Chrome to deploy the Trinper backdoor in targeted attacks.
Risk: HIGH
The Hacker News revealed that a now-patched security flaw in Google Chrome was exploited as a zero-day by the threat actor TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 with a CVSS score of 8.3. Google addressed the flaw after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations. The initial attack vector was a phishing email containing a malicious link disguised as an invitation to the Primakov Readings forum. When victims clicked the link, it triggered a one-click exploit leading to the installation of the Trinper backdoor. Written in C++, the backdoor uses multithreading to capture victim host information, record keystrokes, gather files matching specific extensions, and establish connections with remote servers to receive commands and exfiltrate data.
Detection and Remediation Tips:
Update Google Chrome to the latest version immediately across all endpoints
Implement browser isolation technology for high-risk browsing activities
Deploy advanced endpoint protection with behavioral analysis capabilities
Train employees to recognize forum and conference-themed phishing attempts
Monitor for indicators of compromise associated with the Trinper backdoor
Consider implementing application sandboxing to limit the impact of browser exploits
2. Chinese APT LapDogs Campaign Builds Massive Router Botnet for Espionage
Primary Threat: A China-linked APT has built an operational relay box network of more than 1,000 backdoored SOHO routers for long-term espionage operations.
Risk: HIGH
SecurityWeek reports that a China-linked APT has built an operational relay box (ORB) network of more than 1,000 backdoored nodes for espionage purposes in a prolonged campaign dubbed LapDogs. The campaign has been targeting IT, media, networking, real estate, and other industries in the US and Southeast Asian countries, including Japan, South Korea, Hong Kong, and Taiwan. The threat actor has been infecting small office/home office (SOHO) routers with a custom backdoor named ShortLeash, which provides stealthy, long-term access to compromised devices. Most infected devices are Ruckus Wireless access points and Buffalo Technology AirStation wireless routers running old and unpatched SSH services vulnerable to CVE-2015-1548 and CVE-2017-17663. The campaign likely started in September 2023 and has been gradually growing through methodical operations that infect up to 60 devices per run. SecurityScorecard attributes the campaign to UAT-5918, a Chinese APT that Cisco Talos linked to Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit activities.
Detection and Remediation Tips:
Immediately update firmware on all SOHO routers and wireless access points
Implement network segmentation to isolate IoT devices from critical systems
Monitor network traffic for unusual patterns that could indicate compromise
Replace any devices running end-of-life firmware that cannot be updated
Enable logging and monitoring for all network infrastructure devices
Consider implementing zero-trust network architecture to limit lateral movement
3. FreeType Zero-Day CVE-2025-27363 Exploited by Paragon Spyware in WhatsApp Attacks
Primary Threat: Israeli surveillance solutions provider Paragon exploited a zero-day vulnerability in the FreeType library to deploy Graphite spyware through WhatsApp.
Risk: HIGH
SecurityWeek disclosed that Meta-owned WhatsApp has linked CVE-2025-27363, an out-of-bounds vulnerability in the FreeType open source library, to an exploit developed by Israeli surveillance solutions provider Paragon. The vulnerability, which could lead to arbitrary code execution, was discovered during Meta's investigation into potential channels that threat actors such as spyware firms may be using to deliver malware outside of WhatsApp. The flaw impacts FreeType 2.13.0 and earlier and is triggered when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate too small of a heap buffer, allowing attackers to write up to 6 signed long integers out of bounds. Citizen Lab has found evidence that Paragon's Graphite spyware has been used in countries such as Australia, Canada, Denmark, Italy, Cyprus, Singapore, and Israel. The company is known for developing sophisticated exploits that do not require any interaction from the targeted user.
Detection and Remediation Tips:
Update all systems using FreeType library to the latest patched version
Implement application sandboxing to limit the impact of font parsing vulnerabilities
Monitor for suspicious font file processing activities in security logs
Consider implementing additional security controls for document and media processing
Review and update incident response procedures for zero-click exploits
Deploy advanced threat detection capable of identifying spyware indicators
Did you know...?
The concept of "operational relay boxes" (ORBs) like those used in the LapDogs campaign represents a sophisticated evolution in cyber espionage infrastructure that most organizations completely underestimate. Unlike traditional botnets designed for noisy, disruptive attacks, ORB networks are built for the long game – maintaining stealthy, persistent access to compromised devices that continue functioning normally while secretly serving as stepping stones for intelligence operations. What makes ORBs particularly insidious is their "living off the land" approach: infected routers and IoT devices maintain their legitimate functions while simultaneously providing covert infrastructure for espionage activities. The first documented use of this technique dates back to 2008 when researchers discovered the "GhostNet" operation, which used compromised computers in 103 countries to spy on government offices, businesses, and individuals. However, modern ORB networks have evolved far beyond those early efforts. Today's campaigns like LapDogs can operate for years without detection, gradually building networks of thousands of compromised devices that provide geographic diversity, operational redundancy, and plausible deniability. The beauty of this approach from an attacker's perspective is that each compromised router appears to be just another legitimate internet user, making attribution and detection extremely challenging. For defenders, this means that the humble SOHO router sitting in your office break room could be providing cover for nation-state espionage operations targeting your organization or others in your industry.
4. Aflac Discloses Major Cybersecurity Incident Affecting Customer and Employee Data
Primary Threat: Insurance giant Aflac suffered a sophisticated cyberattack that potentially compromised claims information, health data, and Social Security numbers.
Risk: HIGH
Aflac announced that on June 12, 2025, the company identified suspicious activity on its network in the United States and promptly initiated cyber incident response protocols, stopping the intrusion within hours. The attack was caused by a sophisticated cybercrime group as part of a broader cybercrime campaign against the insurance industry. Preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to the network. The potentially impacted files contain claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in the U.S. business. While the investigation remains in its early stages, Aflac is offering free credit monitoring and identity theft protection, plus Medical Shield for 24 months to any individual who contacts their dedicated call center. The company emphasized that their business remains operational, systems were not affected by ransomware, and they can continue to underwrite policies, review claims, and service customers as usual.
Detection and Remediation Tips:
If you're an Aflac customer, contact their dedicated call center at 1-855-361-0305 for free credit monitoring
Monitor all financial accounts and credit reports for suspicious activity
Enable fraud alerts and credit freezes as an additional precaution
Review and strengthen social engineering awareness training for employees
Implement multi-factor authentication for all critical business systems
Conduct regular security assessments of third-party vendors and partners
5. Record-Breaking Data Breach Exposes 16 Billion Login Credentials
Primary Threat: A colossal data breach has exposed over 16 billion login credentials for Google, Facebook, Apple, and other major platforms in one of the largest credential databases ever discovered.
Risk: CRITICAL
Forbes reported that more than 16 billion login credentials for Google, Facebook, Apple and other platforms have been exposed in one of the largest databases of cybersecurity breaches ever recorded. The file was left entirely unprotected with no encryption, no password protection, and no safeguards – just a plain text document holding millions of sensitive data entries. Cybernews confirmed that this represents a record-breaking data breach opening access to Facebook, Google, Apple, and virtually any other service imaginable. The exposed credentials appear to have been collected through various infostealer malware campaigns over an extended period. Security researchers emphasize that this massive compilation significantly increases the risk of credential stuffing attacks, where cybercriminals use automated tools to test these leaked credentials across multiple platforms and services.
Detection and Remediation Tips:
Immediately change passwords for all major online accounts, especially Google, Apple, Facebook, and Microsoft
Enable multi-factor authentication on all accounts that support it
Use a reputable password manager to generate and store unique passwords for each account
Monitor accounts for unauthorized access and enable login notifications where available
Consider using passkeys or hardware security keys for high-value accounts
Regularly audit and update security settings across all online services
6. DHS Warns of Heightened Iranian Cyber Threats Following US Military Action
Primary Threat: The Department of Homeland Security has issued a National Terrorism Advisory System bulletin warning of increased cyber threats from Iran-linked actors following recent US military strikes.
Risk: HIGH
The Department of Homeland Security warned in a National Terrorism Advisory System bulletin issued June 22, 2025, that the ongoing Iran conflict is causing a heightened threat environment in the United States. Cybersecurity Dive noted that federal officials are warning that pro-Iran hacktivists or state-linked actors may target US critical infrastructure and networks. CNN reported that low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against poorly secured US networks and Internet-connected devices. The bulletin specifically highlights threats to critical infrastructure, with particular concern about attacks on telecommunications, energy, and financial sectors. Sysdig anticipates a spike in cyber activity following the June 22, 2025 United States strikes on Iranian nuclear infrastructure, with potential for both state-sponsored and hacktivist-driven attacks.
Detection and Remediation Tips:
Increase monitoring and logging for all critical infrastructure systems
Review and test incident response procedures for nation-state attacks
Implement additional network segmentation for operational technology systems
Enhance threat intelligence sharing with industry partners and government agencies
Conduct security assessments of Internet-facing systems and services
Prepare for potential distributed denial-of-service attacks and implement mitigation strategies
IN SUMMARY:
The exploitation of zero-day vulnerabilities in widely-used software like Google Chrome and FreeType shows that even the most security-conscious organizations remain vulnerable to determined attackers.
Meanwhile, the LapDogs campaign illustrates how threat actors are building long-term espionage infrastructure using everyday devices that most organizations never consider part of their attack surface.
The Aflac incident reminds us that social engineering remains a highly effective attack vector, while the massive 16 billion credential leak underscores the ongoing challenge of credential security in an interconnected world.
Finally, the heightened Iranian cyber threat following recent geopolitical events serves as a stark reminder that cybersecurity cannot be separated from broader national security
🚨 Key Takeaways:
✔️ Zero-day vulnerabilities in popular software like Chrome and FreeType continue to be actively exploited by sophisticated threat actors.
✔️ Nation-state actors are building massive, stealthy infrastructure networks using compromised SOHO routers and IoT devices.
✔️ Social engineering attacks remain highly effective against even large, well-resourced organizations like major insurance companies.
✔️ Credential security is more critical than ever, with billions of passwords exposed in massive data compilations.
✔️ Geopolitical tensions directly translate to increased cyber threats against critical infrastructure and private sector targets.
✔️ Commercial spyware vendors continue to develop and deploy sophisticated zero-click exploits against high-value targets.
🔎 Immediate Actions:
✔️ Update Google Chrome and all systems using FreeType library to the latest patched versions immediately.
✔️ Change passwords for all major online accounts and enable multi-factor authentication wherever possible.
✔️ Update firmware on all SOHO routers, wireless access points, and IoT devices in your environment.
✔️ Enhance monitoring and logging for critical infrastructure systems given heightened Iranian cyber threats.
✔️ Review and strengthen social engineering awareness training for all employees and contractors.
✔️ Implement network segmentation to isolate IoT devices and limit potential lateral movement by attackers.
💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡
J.W.
(P.S. Check out our partners! It goes a long way to support this newsletter!)
Global payroll complexity? Here’s the playbook.
Managing global payroll shouldn’t mean juggling vendors and compliance risks. Deel, recognized in the Gartner® Market Guide for Multicountry Payroll Solutions, helps finance teams automate payments, standardize reporting, and stay compliant in 100+ countries. Get key insights from industry experts to future-proof your payroll strategy.