Cyber Briefing: 2025.06.19
Fake Minecraft mods and invoice lures spread malware, vishing bypasses Google 2FA, breaches hit UBS and Episource, Iran throttles internet in cyber war, and Ryuk hacker faces U.S. charges.
👉 What's happening in cybersecurity today?
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please Subscribe
🚨 Cyber Alerts
1. Fake Minecraft Mods On GitHub Spread Malware
A new multi-stage malware campaign is targeting Minecraft players by using a "distribution-as-a-service" operation called Stargazers Ghost Network to host malicious mods on GitHub. According to Check Point researchers, these fake mods and cheats trick users into running a Java-based loader that remains undetected by most antivirus engines. This loader initiates an infection chain that downloads a second-stage stealer to harvest Discord and Minecraft tokens before deploying a final, more comprehensive .NET infostealer. The final payload is capable of stealing a wide array of data, including browser credentials, cryptocurrency wallets, and Steam information, which is then exfiltrated via a Discord webhook.
2. Russian Vishing Scam Bypasses Google 2FA
A hacking group with suspected ties to Russia's APT29, tracked as UNC6293, is running a sophisticated voice phishing campaign targeting academics and critics of Russia by impersonating the U.S. Department of State. The threat actors use a patient, weeks-long social engineering approach to build rapport before tricking a target into creating a Google Application Specific Password (ASP) under the guise of secure communications. Once the victim shares this 16-digit ASP passcode, the attackers use it to gain persistent access to the user's Gmail account, effectively bypassing two-factor authentication for that mail client. This novel tactic, detailed by Google and Citizen Lab, shows how attackers are evolving to manipulate legitimate account features and exploit user trust to facilitate espionage.
3. Fake Invoices Deliver Sorillus RAT In Europe
A sophisticated malware campaign, dubbed "Ratty RAT," is targeting European organizations in countries like Spain, France, and Belgium with the Sorillus Remote Access Trojan. The attack uses invoice-themed phishing emails to lure victims into a multi-stage infection chain that leverages legitimate services like OneDrive and Ngrok to deliver the malware payload. Once executed, the cross-platform Sorillus RAT establishes persistence and gives attackers extensive capabilities, including keystroke logging, webcam recording, and file exfiltration. Despite the takedown of its original sales site, cracked versions of the malware remain widely available, with recent campaigns showing evidence suggesting they are operated by Brazilian-speaking threat actors.
For more alerts, click here!
💥 Cyber Incidents
4. UBS and Pictet Hit By Vendor Data Breach
Swiss banks UBS and Pictet have confirmed they suffered a data leak after a cyberattack on their shared IT and procurement subcontractor, Chain IQ, in Switzerland. Data concerning 130,000 UBS employees, including CEO Sergio Ermotti, is now reportedly available on the dark web, while tens of thousands of Pictet's supplier invoices were also stolen. Both banks insist that no customer data was affected and that they took immediate action to contain the incident after being notified by Chain IQ on June 13th. This major supply chain attack on a provider for high-profile financial firms highlights the growing cybersecurity vulnerabilities within complex corporate ecosystems.
5. Hacker Mints $27M From Meta Pool Gets 132K
A hacker attacked the crypto protocol Meta Pool this week, exploiting a flaw in a smart contract to mint nearly $27 million worth of its mpETH liquid stacking tokens. Despite the massive token minting, the attacker only managed to flee with approximately $132,000 worth of Ether due to low liquidity in the swap pools and a quick response from the Meta Pool team. The exploit took advantage of a "fast unstake functionality," which security firm PeckShield noted was a critical bug that allowed the unauthorized minting of the tokens. Meta Pool paused the affected contract to prevent further losses, assured users all staked Ethereum is safe, and has promised to reimburse the lost assets and release a full post-mortem.
6. Cyberattack Disrupts Paris Air Show Website
The website for the International Air Show in Paris, France, was forced offline for fifteen minutes on its opening day, June 16th, following what authorities suspect was a cyberattack. According to a police source, the site received an "exceptional and abnormal number of connections," prompting the show's IT maintenance team to temporarily shut down the service. France's Brigade for the Fight against CyberCrime has now opened an investigation to determine the origin and motive behind the disruptive incident.
For more incidents, click here!
📢 Cyber News
7. Iran Slows Internet to Prevent Cyberattacks
Iran has severely disrupted its own internet access, with officials calling it a defensive measure against a "massive cyber war" amid escalating military and digital conflict with Israel. The shutdown follows cyberattacks claimed by a pro-Israel hacking group, "Predatory Sparrow," which targeted an Iranian bank and the Nobitex crypto exchange, resulting in the theft of over $81 million. As Iranian citizens face a near-total internet blackout, the government has urged them to delete WhatsApp, falsely alleging it is an Israeli spy tool, a claim the company denies. This digital conflict is unfolding alongside a renewed military conflict where both nations have recently traded missile strikes, marking a significant spillover into cyberspace.
8. Ryuk Ransomware's Access Enabler Extradited
A key member of the infamous Ryuk ransomware group, specializing in initial network access, has been successfully extradited from Ukraine to the United States. This 33-year-old foreign national, arrested in Kyiv in April 2025, faces charges from the FBI for his role in numerous cyberattacks.
9. Episource Data Breach Affects Over 5M Patients
Healthcare tech firm Episource experienced a data breach affecting over 5.4 million individuals, with hackers stealing sensitive information including Social Security numbers and medical records. This incident, discovered in early February, follows a similar breach at Episource in 2023 and comes after its acquisition by Optum, a subsidiary of UnitedHealth, which also suffered a major cybersecurity attack last year.
For more news, click here!
💡 Cyber Tip
Watch Out as Google App Password Trick Bypasses 2FA
Russian-linked hacking group is targeting academics and government critics through a new voice phishing scam. After spending weeks building trust, they convince victims to create a Google App Password, which is a 16-digit code used for secure logins. When the password is shared, it allows the attackers to bypass two-factor authentication and gain direct access to the victim's Gmail account.
✅ What you should do:
Never share your Google App Passwords with anyone, even if they claim to be from official entities like the U.S. State Department.
Treat requests for App Passwords with high suspicion, especially if they follow a lengthy back-and-forth that seems overly friendly or benign.
Verify urgent or sensitive requests by calling the organization directly using publicly listed contact methods.
Regularly review all active App Passwords in your Google Account settings and revoke any you didn't create yourself.
Enable advanced protections, such as Google's Advanced Protection Program, if you handle sensitive or high-risk information.
🔒 Why this matters:
This attack shows that even strong two-factor protection can be bypassed if attackers fool you into granting trust. Staying cautious with App Passwords is essential to keeping your account safe.
📚 Cyber Book
Cybersecurity for Small Businesses and Nonprofits by Jane LeClair, Denise Pheils, and Carolyn Schrader
That concludes today’s briefing . You can check the top headlines here!
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.