This content originally appeared on DEV Community and was authored by Habdul Hazeez
It's another week, and here we are again about to review the top cybersecurity news about cybersecurity threats that you and I should know. I don't mean to bore you when I say that we will be reviewing articles about the prevailing threats that we have mostly talked about: malware, vulnerabilities, and the social engineering attack, phishing.
Actively exploited vulnerability gives extraordinary control over server fleets
There are two devastating consequences of attackers exploiting this vulnerability:
- Full server takeover and malware deployment: The vulnerability allows unauthenticated remote control of exposed BMC units.
- Hardware destruction and service disruption: Attackers can initiate malicious firmware tampering, triggering scenarios like over-voltage, BIOS/UEFI corruption, and permanent "bricking" of motherboards.
With details of the vulnerability and the potential impact detailed above, who are the possible culprits? The excerpt below offers some possibilities:
With no publicly known details of the ongoing attacks, it's unclear which groups may be behind them. Eclypsium said the most likely culprits would be espionage groups working on behalf of the Chinese government. All five of the specific APT groups Eclypsium named have a history of exploiting firmware vulnerabilities or gaining persistent access to high-value targets.
New Flaw in IDEs Like Visual Studio Code Lets Malicious Extensions Bypass Verified Status
The lesson here is this: be wary of trusting extensions outside of the Visual Studio Code marketplace.
Here is why:
From a security standpoint, this is a classic case of extension sideloading abuse, where bad actors distribute plugins outside the official marketplace. Without proper code signing enforcement or trusted publisher verification, even legitimate-looking extensions can hide dangerous scripts.
In a proof-of-concept (PoC) demonstrated by the cybersecurity company, the extension was configured to open the Calculator app on a Windows machine, thereby highlighting its ability to execute commands on the underlying host.
Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
More often, attackers impersonate trusted brands because it can increase their chances of a successful attack. That's why it's good to stay updated on the latest cybersecurity news and if you are an organization, educate your employees.
From the article:
In one phishing email sent on June 17, 2025, the message body resembled a voicemail notification and included a PDF attachment that contained a QR code directing the recipients to a Microsoft 365 credentials harvesting page.
"In many of their initial access attempts, the threat actor utilized M365 Direct Send functionality to target an individual organization with phishing messages that were subject to less scrutiny compared to standard inbound email,"
NimDoor crypto-theft macOS malware revives itself when killed
When you talk about the phrase I am not going anywhere, you should remember this malware. It is a complex analysis. But the thing is this: it's a complex malware linked to threat actors from N_h K_ea (I don't like mentioning country names).
The following is how users are infected and what researchers have said about the malware.
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email.
The malware's modularity, which gives it flexibility, and the use of novel techniques like signal-based persistence indicate that [country_name_removed] operators evolve their toolkit to extend their cross-platform capabilities.
Vercel's v0 AI Tool Weaponized by Cybercriminals to Rapidly Create Fake Login Pages at Scale
I am not surprised. Not even one bit. In case you don't know someone took this way out of line by creating same[.]dev earlier this year 2025. But it didn't go so well as reviewed by designer Tom Geoco on Threads.
From the article:
The threat actors behind the campaign have also been found to host other resources such as the impersonated company logos on Vercel's infrastructure.
The development comes as bad actors continue to leverage large language models (LLMs) to aid in their criminal activities, building uncensored versions of these models that are explicitly designed for illicit purposes.
Undetectable Android Spyware Backfires, Leaks 62,000 User
They call themselves undetectable but that does not mean they could not be compromised! Can you guess the flaw that led to the leak? Old-school SQL injection.
Here is what happened:
Catwatchful essentially functions as a powerful spyware, or stalkware, as it runs in the background for real-time monitoring and hides its presence to prevent being uninstalled by the victim.
Looking into the spyware operation’s innerworkings, the security researcher discovered that it was prone to SQL Injection attacks, that that it was possible to retrieve the Firebase database containing the personal information collected through the user dashboard.
Massive Android Fraud Operations Uncovered: IconAds, Kaleidoscope, SMS Malware, NFC Scams
In the end, it's all about the money. Attackers are willing to use any means necessary to make money online, even if they have to compromise users' mobile devices to achieve that. That's the common theme in all the identified fraud cases.
The result? Attackers make money by stealing it directly from the user or using their devices as a means to make illegal money.
The following is a quick summary of IconAds and Kaleidoscope. You can read more about the SMS malware and NFC scams in the article:
Some variants of IconAds apps have been found to impersonate the Google Play Store (or using other Google-related application icons and names) instead of concealing them.
Kaleidoscope is an evolution of Konfety. The essence of the operation is this: Cybercriminals create two nearly identical versions of the same app, a harmless "decoy twin" available on Google Play and an "evil twin" that's distributed through third-party app stores or fake websites.
The "evil twin" app then generates intrusive, unwanted ads to fraudulently earn advertising revenue.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
This content originally appeared on DEV Community and was authored by Habdul Hazeez
Habdul Hazeez | Sciencx (2025-07-04T20:43:51+00:00) Security news weekly round-up – 4th July 2025. Retrieved from https://www.scien.cx/2025/07/04/security-news-weekly-round-up-4th-july-2025/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.