Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 6 June
Scattered Spider analysis
Scattered Spider has targeted the hospitality, telecommunications, finance and retail sectors with high sophistication. The group, active since at least 2022, is differentiated by its combination of advanced social engineering and technical expertise.
Its modus operandi is based on manipulating IT support employees and circumventing MFA authentication through vishing or similar tactics, posing as legitimate personnel and displaying proficiency in English. In addition, Scattered Spider would partner with RaaS DragonForce, focusing on gaining initial access while outsourcing encryption and ransomware negotiation to DragonForce.
After gaining access, they collect credentials using tools such as Mimikatz and Cobalt Strike, escalate privileges through infrastructures such as Active Directory or Okta, and exfiltrate sensitive data before deploying the ransomware. Scattered Spider would additionally target SSO services and remote access tools such as VPN and RDP gateways for lateral movement.
Its use of living-off-the-land techniques, along with disabling security controls and deleting logs, further hinders analysis and incident response.
UNC6040 compromises Salesforce instances for data extortion
Google Threat Intelligence Group (GTIG) has identified a cyberattack campaign carried out by the UNC6040 group, which uses vishing (voice phishing) techniques to compromise Salesforce instances in multinational organizations.
The attackers pose as technical support personnel and, via phone calls, persuade employees to authorize a malicious connected application on the company's Salesforce portal.
This application, a modified version of the Salesforce Data Loader, is not authorized by the platform and allows attackers to access, query and exfiltrate sensitive information directly from the compromised Salesforce environment. In some cases, extortion activities have not manifested until several months after the initial intrusion, suggesting that NC6040 may be collaborating with other threat actors to monetize access to the stolen data.
During these extortion attempts, the attackers have claimed affiliation with the ShinyHunters hacking group.
Crocodilus employs new social engineering techniques
Researchers at Threat Fabric have detected a new version of the Android malware Crocodilus, which now includes a feature to add fake contacts to the infected device. This technique allows attackers' calls to display trusted names such as “Bank Support”, thus impersonating legitimate entities.
This feature is triggered by a remote command and executed via the ContentProvider API. In addition, the malware has evolved with evasion-focused enhancements such as packaging of the dropper code, additional XOR encryption and obfuscation techniques that make analysis more difficult. Local processing of stolen data has also been added to optimize the quality of exfiltrated information.
Researchers have recommended downloading apps only from trusted sources and keeping Google Play Protect active.
DCRat's presence in Latin America increases through targeted phishing campaigns
In May 2025, IBM X-Force detected a series of phishing campaigns in Colombia, attributed to the cybercriminal group Hive0131, impersonating the Colombian Judicial Branch to distribute the DCRat remote access Trojan.
These campaigns used emails with links to ZIP files that, when opened, executed malicious scripts designed to install DCRat in the system's memory, thus avoiding detection by traditional antivirus solutions. DCRat, operated as Malware-as-a-Service (MaaS) since at least 2018, is known for its low cost and wide availability on Russian cybercriminal forums.
Its capabilities include audio and video recording, keystroke capture, file system manipulation, and persistence via scheduled tasks or registry keys.
Technical details of exploit CVE-2025-20188 flaw released
Researchers at Horizon3 have published technical details of a Cisco IOS XE WLC arbitrary file upload flaw, tracked as CVE-2025-20188 (CVSSv3 10.0 according to Cisco). The vulnerability is caused by a JSON Web Token (JWT) code that allows an unauthenticated remote attacker to upload files, perform path traversal and execute arbitrary commands with root privileges when the Out-of-Band AP Image Download feature is enabled.
Horizon3's analysis shows that the flaw exists due to a JWT fallback secret encoded as notfound and used by the backend's OpenResty (Lua + Nginx) scripts for upload endpoints, combined with insufficient path validation.
Specifically, the backend uses the scripts to validate JWT tokens and handle file uploads, but if the '/tmp/nginx_jwt_key' file is missing, the script falls back to the notfound string to verify JWTs. This allows attackers to generate valid tokens. Users are advised to upgrade to the patched version 17.12.04, or later, as soon as possible.
As a workaround, it is possible to disable the Out-of-Band AP Image Download feature to shut down the vulnerable service.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
