Darkwire Weekly – Issue #5

🚨Top 3 Threats This Week

• State Hackers Breach Washington Post Emails: The Washington Post revealed that several journalists’ Microsoft email accounts were compromised in a targeted cyberattack believed to be state-sponsored. An internal memo on June 15 warned staff of a “possible targeted unauthorized intrusion” after the breach, likely linked to China, was discovered. (🔗 source)
  

• Chinese APTs Exploit SAP Software at Scale: Security researchers exposed a Chinese nation-state campaign exploiting a zero-day (CVE-2025-31324) in SAP NetWeaver (enterprise software) to remotely backdoor critical infrastructure systems worldwide. Using an unauthenticated file upload RCE flaw, Chinese hacking groups breached 581 SAP servers across energy, utility, manufacturing, and government networks, implanting web shell backdoors for persistent access. At least three Chinese APT clusters (UNC5221, UNC5174, etc.) are leveraging this and similar bugs to conduct espionage and maintain footholds. (🔗 source)
  

• Russian Phishing Ops Hijack Researcher’s Email: Noted Russia expert Keir Giles warned that hackers impersonating the U.S. State Department gained access to several of his email accounts via a sophisticated phishing attack. The attackers likely obtained past correspondence and contacts, prompting him to alert colleagues that stolen emails could surface in future “hack-and-leak” operations. Analyses by Secureworks and Mandiant attribute the activity to a Russian state-backed group (FSB Center 18) known as Iron Frontier/Calisto (aka “ColdRiver”), which frequently spear-phishes Western academics and officials. (🔗 source)

🛡️Dark Web Watch

• Major Drug Market “Archetyp” Taken Down: An international law enforcement operation dismantled the Archetyp dark web marketplace, a long-running site for drug trafficking. Between June 11-13, police from Germany, the Netherlands, Romania, Spain, and Sweden seized Archetyp’s infrastructure and arrested the site’s 30-year-old German administrator in Spain. Archetyp had 600,000+ users and facilitated €250+ million in sales, even openly selling fentanyl. Authorities seized assets worth €7.8M and shut down all Archetyp domains, which now display seizure banners. This bust (code-named Operation “Deep Sentinel”) delivers a major blow to one of the dark web’s largest drug markets. (🔗 source)
  

• 10K Mac Cloud Users’ Data Leaked on Forum: Hackers leaked a database purportedly from VirtualMacOSX (a Mac-in-cloud service) containing 10,000 customers’ personal details. The dump – posted free on a cybercrime forum – exposed names, emails, physical addresses, phone numbers, and even password reset keys and bank info for users worldwide. The leak was discovered by researchers, who verified the files appeared genuine and likely came from a June 2024 breach. Anyone using VirtualMacOSX is urged to change passwords and monitor financial accounts, as such PII exposure heightens risks of account takeover and fraud. (🔗 source)

Recent CVEs You Should Know

• WebDAV Zero‑Day (CVE-2025-33053) – Patched: Microsoft’s June Patch Tuesday fixed a critical WebDAV vulnerability under active exploitation. The bug allows remote code execution when a user is tricked into opening a malicious WebDAV URL. A stealthy APT known as “Stealth Falcon” (linked to UAE) was exploiting this flaw in espionage attacks to drop custom malware. CISA added CVE-2025-33053 to its Known Exploited list and ordered agencies to patch by July 1. Apply the latest Windows updates to block this threat, as more attackers could adopt the exploit now that details are public. (🔗 source)
  

• Chrome V8 0‑Day (CVE-2025-5419) – Update Browser: Google pushed an emergency Chrome update after discovering a high-severity 0-day in the V8 JavaScript engine being exploited in the wild. The flaw is an out-of-bounds read/write in Chrome’s JS engine, and it’s the third Chrome zero-day this year. Google quickly mitigated the issue via a server-side change and released Chrome version 137.0.7151.68/.69 for all platforms with a permanent fix. Check that your Chrome is up-to-date, or manually trigger an update via Help → About Google Chrome and restart the browser. Given active attacks, it’s crucial to patch ASAP. (🔗 source)

🛠️ Tools & Resources

• MDEAutomator – Automating Defender at Scale: MDEAutomator is a new open-source tool that helps IT/security teams automate Microsoft Defender for Endpoint tasks. This serverless PowerShell-based solution uses Azure Functions and custom scripts to bulk-deploy Defender, run live response actions, push IOC threat indicators, and more – without managing additional infrastructure. It’s modular and even supports multi-tenant environments (useful for MSSPs). The project is free on GitHub for teams looking to streamline their Defender workflows. (🔗 source)

• Kali Linux 2025.2 Released: Offensive Security rolled out Kali Linux 2025.2, the latest version of the popular pentest distro. This update brings a revamped menu organized by MITRE ATT&CK tactics (making it easier to discover tools by technique), plus upgrades like BloodHound Community Edition (for AD attack path mapping) and an improved CARsenal car-hacking toolkit. Kali 2025.2 also adds 13 new tools – from AzureHound (Azure AD recon) to binwalk3 (firmware analysis) and GitXray (OSINT for GitHub). Whether you’re a red-teamer or blue-teamer, it’s worth updating Kali to get the latest tools and enhancements. (🔗 source)

📚 Quick Bytes

• T‑Mobile Breach Claim Debunked: Hackers on a dark web forum posted a cache of 64 million supposed T-Mobile customer records, including names, DOB, SSNs, and more. T-Mobile quickly denied any breach, saying the leaked data “does not relate to T-Mobile or our customers”. Cyber analysts couldn’t verify the dump’s authenticity (some bits resemble older leaks). If real, such a trove would be a goldmine for fraud and phishing – but for now, it appears to be either recycled data or a hoax. (🔗 source)
  

• FIN6 Phishing HR with Fake Résumés: The FIN6 cybercriminal group (known for targeting payment systems) has shifted tactics to social engineering – impersonating job seekers to compromise recruiters’ PCs. Posing as applicants, FIN6 sends convincing résumé files or links to spoofed hiring sites that drop backdoor malware on HR staff machines. This twist on recruitment scams is catching companies off-guard. HR teams should beware unsolicited attachments or “applicants” urging you to open files, and isolate recruiting PCs or use cloud-based document viewers to reduce risk. (🔗 source)
  

• Global Infostealer Ring Busted: An Interpol-led operation (“Operation Secure”) took down major info-stealer malware networks across 25+ countries. Authorities seized 40+ servers, 20,000+ malicious domains, and arrested 32 suspects in Asia (18 in Vietnam, 14 in Sri Lanka and Nauru) tied to credential-stealing malware rings. Over 216,000 victims were identified and notified during the crackdown. Infostealer malware, which siphons passwords and data from infected PCs, remains rampant – but this sweep shows global law enforcement is actively targeting the criminals behind it. (🔗 source)

👀 Privacy Tip of the Week

• Prune Your Mobile Apps (and Their Permissions). Take a few minutes to review the apps on your smartphone – and delete any you no longer use. Each installed app is a potential data siphon (or security hole), so less is more. For the apps you keep, check what permissions they have (location, camera, contacts, etc.) and revoke anything that isn’t necessary. Many apps over-request access out of convenience or for ad tracking. By culling unused apps and limiting permissions for the rest, you significantly reduce how much of your personal info is exposed. Remember: your phone should only share what you want it to. 

👋 Stay sharp,

– The Darkwire Weekly Team
darkwireweekly.com