A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships New zero-click exploit allegedly used […

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships

New zero-click exploit allegedly used to hack WhatsApp users

US and Dutch Police dismantle VerifTools fake ID marketplace

Experts warn of actively exploited FreePBX zero-day

Google: Salesloft Drift breach hits all integrations

Dutch intelligence warn that China-linked APT Salt Typhoon targeted local critical infrastructure

200 Swedish municipalities impacted by a major cyberattack on IT provider

TransUnion discloses a data breach impacting over 4.4 million customers

NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure Orgs

UNC6395 targets Salesloft in Drift OAuth token theft campaign

Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

Healthcare Services Group discloses 2024 data breach that impacted 624,496 people

ESET warns of PromptLock, the first AI-driven ransomware

China linked UNC6384 targeted diplomats by hijacking web traffic

Farmers Insurance discloses a data breach impacting 1.1M customers

Citrix fixed three NetScaler flaws, one of them actively exploited in the wild

Auchan discloses data breach: data of hundreds of thousands of customers exposed

U.S. CISA adds Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities catalog

Docker fixes critical Desktop flaw allowing container escapes

Malicious apps with +19M installs removed from Google Play because spreading Anatsa banking trojan and other malware

Pakistan-linked APT36 abuses Linux .desktop files to drop custom malware in new campaign

Android.Backdoor.916.origin malware targets Russian business executives

Electronics manufacturer Data I/O took offline operational systems following a ransomware attack

IoT under siege: The return of the Mirai-based Gayfemboy Botnet

International Press – Newsletter

Cybercrime

U.S. Government Seizes Online Marketplaces Selling Fraudulent Identity Documents Used in Cybercrime Schemes  

Auchan announces that it has been the victim of “an act of cybercrime”, with “hundreds of thousands” of its customers’ data hacked  

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift  

Storm-0501’s evolving techniques lead to cloud-based ransomware

Hacker used a voice phishing attack to steal Cisco customers’ personal information  

DSLRoot, Proxies, and the Threat of ‘Legal Botnets’  

Cyberattack against several municipal and regional systems

Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime   

Colt Technology Services gets ransomware’d via SharePoint initial access— some learning points    

Germany charges man over cyberattack on Rosneft subsidiary  

Ransomware gang takedowns causing explosion of new, smaller groups 

Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 

Malware

The Resurgence of IoT Malware: Inside the Mirai-Based “Gayfemboy” Botnet Campaign

Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth 

Android backdoor spies on employees of Russian business 

Tamperedchef – The Bad PDF Editor

AppSuite PDF Editor Backdoor: A Detailed Technical Analysis    

Malware devs abuse Anthropic’s Claude AI to build ransomware 

Hacking

Breaking Docker’s Isolation Using… Docker? (CVE-2025-9074)  

Vtenext 25.02: A three-way path to RCE 

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift  

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE) 

Inside the Lab-Dookhtegan Hack: How Iranian Ships Lost Their Voice at Sea  

WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices

Intelligence and Information Warfare

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files  

Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats  

ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies 

Citizen Lab director warns cyber industry about US authoritarian descent

Dutch providers targeted by Salt Typhoon  

TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents  

Biased AI chatbots can sway people’s political views in minutes  

Amazon disrupts watering hole campaign by Russia’s APT29 

Cybersecurity

2025 State of the Internet: Digging into Residential Proxy Infrastructure

Electronics manufacturer Data I/O reports ransomware attack to SEC    

FTC Calls on Tech Firms to Resist Foreign Anti-Encryption Demands  

ENISA to operate the EU Cyber Reserve 

Over 28,000 Citrix devices vulnerable to new exploited RCE flaw

Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments      

TransUnion says hackers stole 4.4 million customers’ personal information  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Source: SecurityAffairs
Source Link: https://securityaffairs.com/181754/breaking-news/security-affairs-newsletter-round-539-by-pierluigi-paganini-international-edition.html