CloudSEK Updates

In July 2025, CloudSEK analyzed how misinformation and recycled breach data—from forums, media, and researchers—flood threat intel teams with false alarms. High-profile cases like the “16 Billion Credential Leak” and ICMR breach were inflated using old or fake data. This noise wastes up to 25% of security teams’ time. The report offers a clear framework to verify breach legitimacy, reduce alert fatigue, and focus on real, high-priority cyber threats.

A critical flaw (CVE-2025-20309, CVSS 10.0) in Cisco Unified Communications Manager lets attackers gain root access via hard-coded credentials in versions 15.0.1.13010-1 to 13017-1. Over 1,000 internet-exposed assets are at risk globally, especially in the US and Asia. Likely targets include VoIP and government networks. Immediate patching, access restrictions, and log monitoring are strongly advised to prevent system compromise.

CloudSEK uncovered that the Androxgh0st botnet compromised a University of California, San Diego subdomain to host its C2 logger. Active since 2023, the botnet exploits vulnerabilities in Apache Shiro, Spring4Shell, WordPress, IoT devices, and more for remote code execution and cryptomining. Webshells were also deployed for persistence.

CloudSEK uncovered a surge in Iran-linked cyberattacks targeting Israel and its allies. Groups like APT42, APT34, MuddyWater, and hacktivist Handala are conducting espionage, data theft, and DDoS attacks. These actors use phishing, credential theft, and stealthy tools to infiltrate sensitive sectors. CloudSEK advises organizations to patch vulnerabilities, monitor DNS traffic, and enforce zero-trust security policies.

Between June 12–18, 2025, over 35 pro-Iranian hacktivist groups launched coordinated cyberattacks against Israeli military, government, and infrastructure targets, using DDoS, data leaks, and disinformation. Only 4–5 pro-Israel groups responded. These unsophisticated yet widespread attacks continue a year-long trend of exaggeration and recycled data. CloudSEK recommends urgent DDoS mitigation, multi-factor authentication, threat monitoring, and stronger incident response protocols.

A fileless AsyncRAT campaign is targeting German-speaking users via a fake “I’m not a robot” prompt that executes malicious PowerShell code. Delivered through Clickfix-themed sites, it abuses system utilities to load obfuscated C# code in memory, enabling full remote access and credential theft. It persists via registry keys and communicates with a C2 server on port 4444. Organizations should block suspicious PowerShell activity and scan memory for threats.

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

CloudSEK’s latest investigation uncovers how APT36 (aka Transparent Tribe) is using VPS provider Contabo to host malicious infrastructure linked to CapraRAT and Crimson RAT. One of their latest tactics? Disguising spyware as the popular messaging app Viber—armed with permissions to record calls, read messages, track location, and more. Read how we traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign.

An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe.