Cyber Briefing: 2025.06.23

Spyware apps steal images, Prometei botnet resurges, Fortinet malware evades detection. Aflac, CoinMarketCap, Oxford breached. US braces for Iranian cyberattacks. AT&T settles, Cloudflare blocks DDoS.

Jun 23, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Spyware in App Stores Steals Your Photos

A sophisticated new spyware campaign called SparkKitty has been discovered within malicious apps on both Apple's App Store and the Google Play Store. The malware infects both iOS and Android devices with the primary goal of stealing every single image from the victim's photo gallery. By stealing all images indiscriminately, the attackers hope to find sensitive financial information, particularly cryptocurrency wallet seed phrases. The campaign, which has been active since at least early 2024, primarily targets users in Southeast Asia and China through region-specific applications.

2. Prometei Botnet Attacks Servers for Crypto

Cybersecurity researchers have uncovered a significant resurgence of the Prometei botnet, a dual-threat malware targeting both Linux and Windows servers. The primary goals of the botnet are to hijack infected systems' resources for cryptocurrency mining and to simultaneously steal valuable credentials. The campaign leverages multiple attack vectors to spread, including brute-force attacks and the notorious EternalBlue software vulnerability. This latest version shows significant improvements in stealth and evasion techniques, making it much more challenging for security solutions to detect.

3. Stealth Malware Targets Fortinet Firewalls

The UK's National Cyber Security Centre issued a warning about a sophisticated malware campaign called UMBRELLA STAND that targets Fortinet firewalls. This malware is designed to gain long-term persistent access to compromised networks by exploiting vulnerabilities in the devices. It uses advanced techniques to avoid detection, including faking TLS communications and abusing legitimate system features to hide its own files. Once installed, UMBRELLA STAND provides attackers with full remote shell execution capabilities, allowing complete control over the network infrastructure.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Aflac Hacked in Spree on Insurance Firms

Insurance giant Aflac disclosed it suffered a cybersecurity breach after discovering suspicious activity on its network last week. The company stated the attack was stopped within hours and was part of a broader, sophisticated cybercrime campaign currently targeting the insurance industry. While an investigation is ongoing, Aflac acknowledged that sensitive personal information, including Social Security numbers and health data, may have been impacted. This incident follows similar recent hacks against other major firms like Erie Insurance and Philadelphia Insurance Companies.

5. CoinMarketCap Doodle Hack Steals Crypto

The popular cryptocurrency tracking site CoinMarketCap suffered a supply chain attack after hackers compromised its homepage last Friday. Threat actors exploited a vulnerability in the site's "doodle" image feature to inject a malicious script that prompted visitors to connect their crypto wallets. When users approved the fake connection, a wallet drainer script stole their assets from the connected wallets. The attackers, believed to be a French-speaking group, reportedly stole over $43,000 from 110 victims before CoinMarketCap removed the content.

6. UK’s Oxford Council Legacy Systems Breached

UK's Oxford City Council has announced it suffered a data breach where attackers accessed legacy systems and personally identifiable information. The investigation found that data belonging to current and former council officers, as well as election workers from 2001 to 2022, may have been compromised. While there is currently no evidence that the data has been shared or that citizen information was accessed, the incident caused a significant disruption to the council's ICT services. The council has begun notifying all potentially affected individuals and has reported the breach to the relevant authorities.

For more incidents, click here!

Click to Read

📢 Cyber News

7. US Expects Iranian Cyberattacks to Escalate

The U.S. is bracing for intensified cyberattacks from Iran following American air strikes on three Iranian nuclear sites. The Department of Homeland Security issued a bulletin warning that Iranian state-sponsored hackers and pro-Iran hacktivists will likely increase their attacks on U.S. networks in retaliation. Experts warn that these threats include both disruptive attacks on infrastructure and cyberespionage targeting individuals and organizations associated with U.S. policy on Iran. While the sophistication of Iranian cyber operations varies, they have previously included advanced phishing attacks and malware targeting critical infrastructure. over whether the European Union will continue to find the UK's standards adequate for seamless data transfers.

8. AT&T to Pay $177M for Massive Data Breach

A U.S. judge has granted preliminary approval to a $177 million settlement to resolve lawsuits against AT&T over multiple 2024 data breaches. These incidents exposed the personal information of tens of millions of current and former customers, including one case where a data set was released on the dark web. Under the deal, customers who suffered direct losses can claim up to $5,000, with remaining funds being distributed to others whose information was accessed. While agreeing to the settlement to avoid lengthy litigation, AT&T said it denies allegations that it was responsible for the criminal acts.

9. Cloudflare Blocks Record 7.3 Tbps DDoS

Cloudflare announced it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which peaked at 7.3 terabits per second in mid-May 2025. The attack targeted an unnamed hosting provider and delivered 37.4 terabytes of data in just 45 seconds, originating from over 122,000 IP addresses across 161 countries. While the attack was multi-faceted, it consisted almost entirely of a UDP flood designed to overwhelm the provider's infrastructure. Cloudflare's automated systems successfully mitigated the record-breaking flood without requiring human intervention by dispersing the traffic across its global network.

For more news, click here!

Check Events

📈Cyber Stocks

As U.S. markets open on Monday, June 23, 2025, key pure-play cybersecurity stocks are showing mixed performance amid sector rotation and broader tech caution:

Varonis (VRNS): Trading at $48.98, down 1.47%, as the stock pulls back slightly after recent gains. Analyst sentiment remains moderately bullish, with an average price target near $55.
Okta (OKTA): Trading at $99.42, up 0.39%, showing resilience following a strong Q1 earnings report in late May. Analysts maintain a consensus target around $121.
CrowdStrike (CRWD): Trading at $476.30, down 1.80%, continuing a mild retreat after recent highs. Long-term growth prospects remain strong, supported by analyst confidence.
Palo Alto Networks (PANW): Trading at $199.24, down 0.26%, easing slightly amid a broader tech slowdown. Momentum remains positive thanks to its expanding AI-driven security portfolio.
Qualys (QLYS): Trading at $135.73, down 1.11%, pulling back after a recent rally. Despite the dip, technical indicators remain favorable following strong Q1 results.

💡 Cyber Tip

Watch Out as SparkKitty Spyware Steals Photos to Hunt Crypto Keys

A stealthy new spyware campaign known as SparkKitty has been discovered hiding inside malicious apps on both the Apple App Store and Google Play. Once installed, the malware silently uploads your entire photo gallery in search of sensitive information, particularly cryptocurrency wallet seed phrases captured in screenshots or stored images.Unlike earlier malware, SparkKitty targets both iOS and Android devices through region-specific apps, often disguised as games or modified versions of popular social media platforms.

✅ What you should do:

Delete apps you no longer use, especially those not developed by trusted or well-known publishers.
Avoid sideloading apps or installing modded versions of legitimate applications.
Regularly review app permissions, especially those with access to your photos or file storage.
Use your device’s security settings to limit which apps can access your photo gallery.
Install a reputable mobile security app that can detect spyware, even if it's distributed through official app stores.

🔒 Why this matters:

SparkKitty shows that even trusted app stores can host dangerous spyware. Once your photos are stolen, attackers may extract highly sensitive information, such as financial details, without your knowledge. In today’s threat landscape, securing your photo gallery is just as important as protecting your passwords.