Chrome 0 Day, Data Wiper, Misuse Tool, Zero Click iPhone Attack

Table of Contents

Behind every security alert is a bigger story. Sometimes it’s a system that’s been tested. Sometimes there is trust that is lost in quiet ways, such as delays, strange behaviors, or subtle gaps in control.

This week we are searching across the surface to find what really matters. Whether it’s poorly designed, hidden access or a misuse of silent, knowing where to look can make all the difference.

If you are responsible for protecting your system, data, or people, these updates are not an option. They are essential. These stories reveal how the attackers think, and where we still keep the door open.

⚡This week’s threat

Google releases aggressively exploited Chrome 0 day patch – Google has released Google Chrome version 137.0.7151.68/.69 for Windows and MacOS, and Linux version 137.0.7151.68 reads vulnerabilities in the V8 JavaScript and WebAssembly engine, reads and describes vulnerabilities in the WebAssembly engine. Google credited Google Lecigne and Benoît Sevens of Google Lecigne and Google Threat Analysis Group (TAG) to discover and report the defects on May 27, 2025. Although it is likely to be highly targeted in nature at present, it is currently unknown how the defects are exploited.

🔔Top News

Pathwiper used in attacks on Ukraine – An unknown and important infrastructure entity within Ukraine was targeted by Pathwiper, a previously invisible data wiper malware. It shares similarity with another wiper codename hermetic wiper used by the Russian-linked sandworm hacking group. It was probably accessible to the management console, and then used to issue malicious commands and deploy Pathwiper across connected endpoints,” says Cisco Talos.
Blade Ferrin targets Iraq with whisper and spear malware – The hacking group located in Iran, known as BladedFeline, stems from a new set of cyberattacks targeting Kurdish and Iraqi government officials in early 2024. (MOIS) It has been operational for over 10 years. This attack leverages an undecided initial access vector and provides backdoors such as whispers (aka Veaty), Spearal, Optimizer, and more.
Vising Group UNC6040 targets Salesforce using fake data loader app – A previously undocumented threat actor known as UNC6040 has revered to revitalize scattered spiders to support employees, install a modified version of the Salesforce Data Loader app, gain unauthorized access to Salesforce data, and expand and implement it, thereby breaching targets of interest. The attack is said to overlap with the loose knee cybercriminal group known as com. Salesforce said the observed incidents rely primarily on end-user operations and do not involve exploitation of system security vulnerabilities.
Chrome to Resust Certs published by Chunghwa Telecom and Netlock – Google’s Chrome Security team has announced plans to cite digital certificates issued by Chunghwa Telecom and Netlock and “patterns of patterns relating to behavior observed over the past year.” The change is expected to be introduced in Chrome 139, which is scheduled to be released in early August 2025. “We have observed no tangible and measurable progress in response to compliance obstacles, unmetably improved commitments and published incident reports,” Google said. “When these factors are taken into account in the tally and taken into account inherent risks, each publicly trusted CA brings to the Internet. It is worth noting that Apple has already moved to distrust with the root CA certificate, “NetLock Arany (Class Gold) FőTanúsítvány.” November 15, 2024.
Android Trojan Crocodilus expands its focus beyond Spain and Türkiye – The early Android Banking Trojan called Crocodilus is secretly spreading to Android devices around the world via fake banking apps, phony browser updates and malicious ads that promise fake rewards. While the early campaigns are primarily targeted at Android users in Turkey, malware has emerged on some devices in Poland, Spain, South America and Asia, showing a sharp increase in both its reach and refinement. The malware includes the ability to create new contacts in the victim’s address book, the potential for social engineering, and the ability to automatically harvest Cryptocurrency Wallet Seed phrases from infected Android devices. Crocodilus is the latest reminder that despite Google constantly adding a stable stream of new security features to combat the rising tide of malware facing the ecosystem, it continues to circumvent Google’s defenses and tweak new ways to infect Android devices. In a report last week, Intel 471 highlighted an increase in Android malware and a decrease in web insertion, including Hidden Virtual Network Computing (HVNC), keylogging and remote control capabilities. “While spraying to the web remains at a moderate level, keyloggers leveraging Android’s accessibility services are becoming increasingly common for harvesting sensitive data,” the company said. “When this information is collected, malware operators often deploy HVNC to rebuild the screens of infected devices on the server side, providing a real-time view of victim activity.” This spike is also complemented by an increasing number of malware stocks that can bypass the Android 13 accessibility limits for sideload apps.

Pean Trend CVE

Attackers love software vulnerabilities – they are easy doors to your system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-20286 (Cisco Identity Services Engine), CVE-2025-49113 (RoundCube), CVE-2025-5419 (Google Chrome), CVE-2025-21479, CVE-2025-21480, CVE-27038 (QUAL-27038 (QUALCMM), CVE-237093 StoreOnce), CVE-2025-48866 (ModSecurity WAF), CVE-2025-25022 (IBM QRADAR SUITE), CVE-2025-22243 (VMware NSX Manager), CVE‑ 2025‑24364, CVE‑ 2025‑ 24365 (vaultwarden), and cve2024-24329 PowerScale OneFS.

Cyber Around the world of cyber

Sentinelone blames stopping software defects – American cybersecurity company Sentinelone revealed that a massive outage that took place on May 29, 2025, lasting around seven hours was caused by a flaw in the software that removes network routes and DNS resolver rules. The outage was described by the company as a global service disruption and affected services to multiple customers. “During this period, customer endpoints remained protected, but the security team was unable to access the management console or related services, which had a significant impact on their ability to manage security operations and access critical data.” He added that the underlying cause of the problem is “a software flaw in the infrastructure control system that removes critical network routes, causing extensive loss of network connections within the Sentinelon platform.”
Chinese citizens for being part of Nigerian Prison 9 Cybercrime Syndicate – The Federal High Court of Nigeria has convicted nine Chinese citizens, each sentenced to a year in prison for their role in a cybercrime syndicate, allegedly involving training and recruitment to commit online frauds such as romance bait scams. The individual was arrested in December 2024 as part of an operation called the Eagle Flash, resulting in 599 Nigerians and 193 other foreigners being arrested. In February 2025, several Chinese and Filipino citizens were charged with cyberterrorism charges, possession of documents containing false pretenses, and identity theft. They are said to be one of the 792 suspected cryptocurrency investment and romance fraud arrested in December 2024. Nigeria’s Chinese Ambassador Yu Dunhai has been working with the state law enforcement to send a working group to Nigeria to work with the state’s law enforcement to dismantle China’s cybercrime rings, which are caught up in telecom fraudsters. “We can assure you (…) that we have zero resistance to this type of crime. The Chinese government has always been committed to countering cybercrime and wire fraud,” Dunhai said.
Fake Airdrops target hash graph network users – The US Federal Bureau of Investigation (FBI) warned that scammers would target Hedera Hash Graph Network users via NFT airdrop functionality embedded in non-biowallets and steal cryptocurrency using their free rewards as lures. “Hedera Hashgraph is a distributed ledger used by Hedera. The airdrop feature was originally created for marketing purposes by the Hedera Hashgraph network. However, cybercriminals can use this tactic to collect victim data and steal cryptocurrency,” the FBI said. The agency also noted that cybercriminals could promote malicious phishing URLs for fraudulent NFT airdrop reward tokens through social media or third-party websites. Alternatively, threat actors can send an email with a booby-confined link that they request to the victim to enter their credentials when they click and collect free tokens. However, this action will allow you to gain unauthorized access to your wallet and discharge your funds.
Threat actors steal WordPress administrative credentials using fake cache plugins – Bad actors are known to leverage a fake WordPress caching plugin named WP-Runtime-Cache to harvest administrator credentials and extend it to an external server (“WooCommerce-Check(.)com”. Currently, it is not clear at the moment how the attacker compromised the site, but typical methods include exploitation of known security flaws in the plugin and theme, or stolen administrator credentials (which is unlikely for this attack as it is filtered exfltated by the attacker after infection). “As demonstrated here, it can be very easy to hide malicious activities once the attacker has access to the site,” Suuri said. “This attack underscores the importance of auditing the plugins and users of the site and maintaining updated admin passwords.”
Chinese hackers violated US telecom companies in the summer of 2023 – Chinese hackers broke into the system of an unknown US telecommunications company in the summer of 2023 and remained there for seven months before the violation was discovered, Bloomberg reported. The invasion was caused by a salt typhoon, attracting attention late last year about the targets of US telecommunications companies. The incident shows that Chinese attackers invaded the US communications system earlier than they are publicly known. However, China denied the allegations and urged the parties involved to “stop spreading any kind of disinformation about the so-called Chinese hacking threat.”
German Data Protection Watchdog Fines Vodafone – The German Data Protection and Information Freedom Committee (BFDI) has imposed two fines totaling 45 million euros ($51.4 million) on Vodafone for privacy and security violations. “There was a fraud case due to fictitious contracts or changes to the contract at the expense of the client due to malicious employees of partner agencies where brokers sign customers on behalf of Vodafone,” BFDI said. Of the 45 million euro penalty, 30 million euros was charged for security issues in the authentication process related to Meinvodafone (“My Vodafone”) and its Vodafone Hotline. “The identified authentication vulnerabilities allowed, among other things, third parties not authorized to access the ESIM profile,” the authorities said. Vodafone has updated its system to mitigate such risks in the future, BFDI added.
NSO Group sues WhatsApp for $168 million in damages – The Spyware Vendor NSO Group has appealed to the ju apprentice’s decision to request WhatsApp to pay approximately $168 million in damages, saying the award is illegal. The order comes more than five years after lawsuits were filed over the role of NSO groups in promoting government spying on 1,400 mobile devices belonging to journalists, human rights activists and political dissidents. According to the NSO group, WhatsApp should not be awarded more than $1.77 million. “The most plausible explanation for the strangely specific amount of punitive damages awards is that the ju apprentice chose that amount in an attempt to bankrupt the NSO,” the Israeli company’s filing states. “The ju-degree awards approach wiping out all of the NSO’s current “assets.” ”
Mozilla debuts a new system to flag Cryptocurrency Drainer add-on – Mozilla has developed an “early detection system” to detect and block fraudulent Crypto wallet extensions before gaining popularity among users, and said it will be used to steal users’ assets by tricking users into entering their credentials. “The initial defense layer includes an automated indicator that determines the risk profile of wallet extensions submitted to AMO (Addons.Mozilla.org),” says Mozilla. “When wallet extensions reach a certain risk threshold, human reviewers are warned to look deeper. If they are found to be malicious, fraud extensions will be blocked immediately.”
The iPhone Zero-Click campaign targets users in Europe and the US – Mobile research company Iverify has revealed that it has discovered evidence of unusual activity on iPhones belonging to political campaigns, media organizations, AI companies, and government-affiliated individuals operating in the European Union and the US. It said it detected a “very rare crash” traditionally associated with sophisticated zero-click attacks via iMessage to perform post-exploitation actions using vulnerabilities that have not been previously documented in the “image” process. Vulnerabilities are called nicknames. The issues observed in iOS versions up to 18.1.1 were patched in version 18.3.1 released in January 2025. “This bug includes race conditions for how to update nicknames in iOS processes. This drawback is said to have been exploited in a target attack recently in March 2025, prompting Apple to send threat notifications to at least one device belonging to a senior EU official whose crash has been observed. In total, a total of six devices are believed to have been targeted by unknown threat actors, two of which showed “clear signs of success in exploitation.” What is noteworthy about the activity is that all identified victims were previously targeted by a salt typhoon hacking group related to China. In a statement shared with Axios, Apple admitted the fix, but objected to the use in malicious context. It described as “a traditional software bug identified and fixed in iOS 18.3,” and “verify is not currently aware of any reliable indications that the bug refers to an attempted exploitation or aggressive attack.”
South Korea targeted by Vipersoftx to steal Crypto -Threat Hunters, along with other malware families such as Quasar Rat, Purecrypter, PureHVNC, and Cryptocurrency Clipper, discloses a new malware campaign that employs software or key generators cracked into legitimate software as lures for distribution of known steeler malware called Vipersoftx. “The Vipersoftx threat actors install various PowerShell scripts on infected systems and use them to download additional payloads,” says Ahnlab. “This allows you to receive commands from threat actors and carry out a variety of malicious actions.”

The US Department of State provides $10 million for information on Redline developers – The US State Department announced a reward of up to $10 million for information on individuals related to Redline Information Stealers who suffered from law enforcement crackdowns in October 2024. Rudmetov was accused of his role as a developer last year and marketing Malware as Malware (MAAS) at underground forums such as the Russian market. It is also known by its alias: “Dendimirror”, “Alinchok”, “Ghackihg”, “Makc1901”, “navi_ghacking”, and “bloodzz.fenix”. Rudmetov is believed to have fled the Luhansk region of Ukraine, which invaded the Ukrainian province of Ukrain. The development comes weeks after the confusion last month of another infamous information stealing by law enforcement and private companies, named Lumma. According to ReliaQuest, Lumma accounted for almost 92% of the Russian market’s qualification log alerts in the fourth quarter of 2024, moving ahead of her colleagues, Redline, Stealc, Raccoon, Vidar, Risepro and new stolen items called Acreed. “In the first quarter of 2025, we rank second only to the giant Lumma, surpassing all established infosteers in terms of attribution of Russian market alerts,” the company said. “Since law enforcement tookdown in mid-May 2025, Acreed is fully positioned to gain traction quickly as cybercriminals are seeking alternatives.”
Apple is said to have given the government data on push notifications in the 1000s – Apple provided data related to thousands of push notifications sent to governments around the world to devices, according to a report published by 404 Media. This data shows the first specific figures for the number of requests that governments around the world are creating push notification data from Apple (and Google). The practice was first revealed in late 2023 when Sen. Ron Wyden wrote to the U.S. Department of Justice, demanding more transparency into the practice. “The data received by these two companies includes metadata, detailing which apps received notifications and when, and what phone calls and related Apple or Google accounts are intended to deliver notifications,” the letter reads. “In certain examples, you may also receive unencrypted content, which can range from the app’s backend directive to the actual text that appears to the user of the app notification.”
China accuses Taiwan of running five APT groups with us – China’s National Computer Virus Emergency Response Centre (CVERC) accused five Advanced Permanent Threat (APT) groups of claiming Taiwan’s Democratic Progressive Party (DPP) to carry out cyberspy attacks against government and public service entities, research institutions, defense technology industry entities, and the Faculty of Foreign Affairs and Science located in mainland China. “Their main goal is to steal and sell important foreign policy, defense technology, cutting-edge scientific achievements and economic data, including anti-Chinese military overseas,” CVERC argued in a report entitled Operation Operation Futile. “They disrupt the social order and even try to cause confusion.” Groups overseen by Taiwan’s Information, Communications and Electronic Force Command (ICEFOM) include APT-C-01 (aka Poison Vine or Greenspot), Apt-C-62 (aka Viola Tricolor), Apt-C-64 (aka Anomous 64), Apt-C-65 (aka neon Pothos), and Ak-C-67 (AKA Neon Pothos). He also argued that the APT-C-67 campaign is directed at gathering geographic intelligence, saying that APT-C-01 has a “close relationship” with US cyber commands and focuses on “hunt-forward” operations. The report coincided with China, which issued warrants to 20 Taiwanese people who said that China had carried out a hacking mission on the mainland of the island’s ruling party.
Colombian cybercriminals linked to vehicle insurance fraud – Cybercriminals from Colombia are attributed to fraud that involves creating a network of over 100 fake websites to deceive users seeking damages and essential vehicle insurance. The intent is to lend the site a veneer of legitimacy, misuse the trust of users, and convince them to pay to “activate” their insurance. The scheme employs ads on Facebook, encouraging users to engage with WhatsApp threat actors. “The scammers redirect them to fake websites disguised as legitimate car insurance providers,” Group-IB said. “The site tweaks users to enter the vehicle’s registration number and starts a process that feels very authentic. The validity of the fraud lies in verifying the vehicle’s insurance status. The site enhances reliability as a legitimate service if the insurance is still active, and if the insurance expires, it will be nearly impossible for the site to display accurate vehicle details. Threat actors are thought to extract the vehicle’s status from public databases and government sites.
Trickbot, the DOX leader of the German authorities – The German Federal Criminal Police Station (aka Bundeskriminalamt or BKA) has released Russian state Vitaly Nikolaevich Kovarev as the founder and leader of the Trickbot (aka Wizard Spider) cybercrime gang. Kovalev was recently added to the EU’s most wanted list in connection with law enforcement businesses that have led to around 300 server takedowns and neutralisation of 650 domains worldwide. The development is that a mysterious leaker called Gangexposed revealed the key figures behind the crew of Conti and Trickbot Ransomware, including Conti’s leading negotiator, Arkady Valentinovich Bondarenko. In a statement on the register, the lecturer said the action was part of the “fight against an organized criminal society known around the world.”

🎥Cybersecurity Webinar

Hackers are hidden in trustworthy sites – learn to find many attacks: Hackers are not invading – they are fused. In this live webinar, Zscaler’s top threat hunters show how attackers are hidden within trusted sites and tools. You can hear the real story from the frontline, learn which threats are trending right now, and get clear and practical tips on finding and halting stealth attacks before they spread. If you’re worried about catching missing security tools, don’t miss this.
Every AI agent has a secret identity. Learn how to find it before the attacker does it. AI agents are restructuring the way they run their businesses, but there is a hidden identity risk behind every agent. From service accounts to API keys, these inhuman identities (NHIs) have deep access, but are often uncontrolled and unsurveillanced. In this webinar, you’ll uncover how attackers are targeting these invisible identities and learn practical steps to secure them before they become your biggest blind spot.

🔧Cybersecurity Tools

InterceptSuite: A tool that intercepts and inspects encrypted traffic from any app, not just a web browser. Built to provide a deeper view of TLS traffic across the protocol, security professionals have the power to analyze what traditional HTTP-only tools don’t show up.
Malware Detection System A multi-tiered system that uses static analysis, dynamic behavior monitoring, and threat intelligence APIs to detect malicious websites. Flag threats such as phishing, malware, obfuscated scripts, and hidden content for real-time accurate detection.

Disclaimer: These newly released tools are for educational use only and have not been fully audited. Use at your own risk – refer to the code, test it safely, and apply appropriate protection measures.

🔒Tip of the Week

Block before starting malware tactics – Turn on ASR rules → Most modern malware is virus-independent. It runs quietly in the background, abuses trustworthy tools like Word, Excel, PowerShell and more. Microsoft Defender’s built-in attack surface reduction (ASR) rules stop these attacks by blocking dangerous actions such as macros launching scripts, or unknown apps that access sensitive system parts.

Here’s how to enable ASR protection in a few minutes:

Home & Power Users: Download configuredefender – a safe and free tool that lets you enable all important ASR rules with just a few clicks. Open the app, select the High or Max profile and click (Apply Settings). That’s all. Today, systems are protected from many common malware technologies.

Advanced User or IT Administrator: Use this PowerShell command to enable important ASR rules.

add-mppreference -AttackSurfacerEductionRules_IDS D4F940AB-401B-4EFC-AADC-AD5F3C50688A -ATTACKSURFACEREDUCTIONRULES_ACTIONS is enabled

This will block the office app from launching child processes. This is a common trick of ransomware delivery.

ASR rules not only block known malware, but also shut down the entire category of risky behavior. They are free, lightweight and are already built into Windows 10/11 Pro or Enterprise. Turning them on will help prevent threats that your anti-virus can never catch.

Conclusion

This week’s takeout is a reminder. The threat rarely knocks – they slip in. Missed patches, strange behaviors, or failed controls are closer to a worse one. If you get a hit here near your home, don’t delay the fix. The following violation is often an error left unchecked.