MSP cybersecurity news digest, June 9, 2025

As of May 2025, the FBI reports that the Play ransomware gang has compromised around 900 organizations, tripling its victim count since October 2023 and impacting critical infrastructure across the Americas and Europe. CISA, in collaboration with the FBI and the Australian Cyber Security Centre, has issued a joint 'Stop Ransomware' advisory to raise awareness and provide guidance on mitigating Play ransomware attacks.

Play operators use recompiled malware in each attack to bypass detection and often contact victims directly by phone, threatening to leak stolen data unless ransom demands are met. Since early 2025, affiliates linked to Play have exploited multiple vulnerabilities (CVE-2024-57726, -57727, and -57728) in remote monitoring tools to gain initial access, notably using backdoors like Sliver in SimpleHelp RMM. The group, active since June 2022, steals data before encryption and pressures victims via email, avoiding traditional Tor-based negotiation portals.

Notable targets have included Rackspace, Krispy Kreme, Microchip Technology and several major cities and corporations. The FBI, CISA and Australian Cyber Security Centre urge organizations to patch vulnerabilities, enforce MFA, maintain offline backups and test recovery plans to defend against Play’s tactics.

Researchers are warning about a new variant of Chaos RAT, a cross-platform remote access trojan targeting both Windows and Linux systems.

According to Acronis researchers, attackers may be disguising the malware as a Linux network troubleshooting utility to trick users into downloading it. Written in Golang and inspired by frameworks like Cobalt Strike and Sliver, Chaos RAT allows attackers to build payloads, control infected machines, and perform a range of malicious actions such as launching reverse shells, stealing data, or restarting systems. Early versions were used in campaigns that also deployed cryptocurrency miners via phishing emails, with persistence achieved by modifying the Linux task scheduler. A recent sample named “NetworkAnalyzer.tar.gz” suggests active distribution tactics targeting Linux users, particularly in India.

Researchers also discovered that the Chaos RAT admin panel was vulnerable to command injection and cross-site scripting (CVE-2024-30850 and CVE-2024-31839), though both flaws were patched in May 2024. The campaign reflects a broader trend where open-source tools are abused by threat actors to complicate attribution and blend into common cybercrime activity.

Researchers have uncovered a new campaign using fake websites — posing as Gitcode and DocuSign — to lure users into executing malicious PowerShell scripts that install NetSupport RAT malware.

The reports reveal that these multi-stage downloader scripts are hosted on deceptive sites, with users tricked into running commands via the Windows Run dialog. The initial script downloads successive PowerShell stages, eventually delivering NetSupport RAT from an external server like tradingviewtool[.]com. Some fake DocuSign sites also use fake CAPTCHA checks to secretly copy malicious code to a victim's clipboard, a tactic known as clipboard poisoning. Executing this code sets up persistence through a GitHub-hosted script and downloads a final ZIP payload that runs a hidden executable.

While attribution remains unclear, the infrastructure and techniques resemble the SocGholish campaign, and the abuse of the legitimate NetSupport Manager tool aligns with tactics used by groups like FIN7 and Storm-0408.

Google has released an emergency out-of-band update to fix three Chrome security flaws, including CVE-2025-5419, a high-severity zero-day currently being actively exploited.

The vulnerability, with a CVSS score of 8.8, affects the V8 JavaScript and WebAssembly engine and can lead to heap corruption via a crafted HTML page. Discovered by researchers, the flaw was patched just one day after being reported on May 27, 2025. Details on the exploitation and threat actors remain undisclosed to allow users time to update.

This marks the second actively exploited Chrome zero-day patched by Google in 2025. Users are urged to upgrade to Chrome version 137.0.7151.68/.69, and those using Chromium-based browsers like Edge, Brave and Opera should apply updates as they become available.

A sophisticated spear-phishing campaign is targeting CFOs and finance executives across six global regions using NetBird, a legitimate remote access tool (RAT).

The attack starts with fake recruiter emails impersonating Rothschild & Co., leading victims to a phishing link disguised as a PDF attachment. After solving a CAPTCHA puzzle, victims are redirected to download a ZIP archive containing VBScript files that install NetBird and OpenSSH, create hidden accounts and enable persistent remote access. Researchers noted that attackers increasingly use legitimate remote access tools like Atera and ConnectWise to evade detection and maintain long-term access.

This campaign is part of a broader rise in phishing-as-a-service (PhaaS) operations, such as Tycoon 2FA and Haozi, which automate and simplify phishing for less-skilled actors. These kits offer subscription-based services with support, dashboards and advertising, mimicking SaaS business models. Researchers warn that as MFA adoption grows, attackers are shifting to more deceptive social engineering methods like OAuth consent and device join phishing.