MSP cybersecurity news digest, June 24, 2025

Recent Acronis research has highlighted the emergence of Shadow Vector, a sophisticated malware campaign targeting Colombian users through spear-phishing emails with malicious SVG files disguised as court notifications. These SVG decoys lead to stagers hosted on public platforms or ZIP files containing remote access trojans like AsyncRAT and Remcos RAT.

Acronis analysts noted the attackers' use of memory-resident loaders and image-based Base64 obfuscation, designed to evade detection and leave minimal forensic evidence. This mirrors trends seen in the broader SERPENTINE#CLOUD campaign, which abuses Cloudflare Tunnel infrastructure to deliver Python-based payloads via phishing chains using LNK files. While that campaign was detailed by other vendors, Acronis research uniquely points out evolving SVG smuggling tactics and potential cross-regional threat actor collaboration based on language traces and TTP overlaps. The use of platforms like Bitbucket and Discord for payload hosting further complicates detection, as legitimate services are weaponized for malicious ends.

Researchers emphasized that these multi-stage infection chains blend social engineering with stealthy, in-memory execution strategies which reinforce the urgency of layered defenses and continuous monitoring, as adversaries shift from exploiting software flaws to exploiting user behavior and cloud-based infrastructure.

North Korean hacking group BlueNoroff is using deepfake videos of company executives in Zoom calls to trick employees into installing macOS malware.

In a June 2025 incident, a tech firm employee was contacted on Telegram and lured into a fake Zoom meeting via a Calendly link. During the call, deepfakes impersonating leadership advised the victim to install a fake Zoom extension to fix microphone issues, which instead downloaded a malicious AppleScript. This script led to a multi-stage infection, starting with disabling bash history and installing Rosetta 2, then downloading payloads disguised as legitimate tools. Malware discovered included a fake Telegram updater, a remote-access backdoor, a loader, a surveillance tool and a cryptocurrency infostealer. The malware was cleverly signed, hidden and equipped with anti-forensic features.

Researchers found eight distinct malicious binaries during the incident, reflecting a highly structured and modular attack sequence.

Swiss procurement firm Chain IQ confirmed it was hit by a cyberattack, resulting in the theft and dark web publication of some customer data. The attack, claimed by ransomware group Worldleaks, also affected 19 other companies and reportedly led to the exfiltration of 910GB of data.

Chain IQ stated it contained the breach within 8 hours and 45 minutes, notified all stakeholders, and confirmed that no bank client data was stolen, though some client employee contact details were compromised. Affected companies include UBS, Pictet, Manor and Implenia, with UBS confirming exposure but assuring no client data was impacted. Experts warn that third-party suppliers remain a high-value target, with potential long-term risks even when immediate damage appears limited.

In a separate case, the Space Bears ransomware group has claimed responsibility for a cyberattack on Sydney-based managed service provider Vertel, listing the company on its leak site. The company provides ICT and telecommunications services to a wide range of clients from both the public and private sectors. The ransomware gang alleges it exfiltrated SQL databases, client personal data, and financial documents, threatening to publish the stolen data by the end of June. Vertel confirmed it began responding to the incident and has engaged cybersecurity firms to support its investigation. The company is also working with government authorities to determine the scope and nature of the breach, including whether sensitive data was accessed or stolen. Vertel stated that its services remain operational, and it will directly notify any impacted customers as the investigation progresses. Vertel serves major clients across public and private sectors, including the NSW government and Airservices Australia, heightening the potential impact of the breach.

Automotive giant Scania, which employs over 59,000 people, has an annual revenue of $20.5 billion and sells over 100,000 vehicles yearly, has confirmed a cybersecurity breach involving its Financial Services systems, where attackers used stolen credentials from an external IT partner to access and exfiltrate insurance claim documents.

The intrusion was likely enabled by infostealer malware that compromised a legitimate user account. Following the breach, the threat actors began extorting Scania employees using a ProtonMail address and later leaked samples of the stolen data on hacking forums. The compromised system, "insurance.scania.com," is no longer accessible, and an investigation is ongoing. Although the exact number of affected individuals remains unclear, the stolen documents may contain sensitive personal, financial, or medical information. Scania stated that the incident had limited impact and confirmed that privacy authorities have been notified.

In a separate case, a cyberattack on U.S.-based health care services company Episource led to a data breach that exposed the personal and health information of over 5.4 million individuals. Upon detecting suspicious activity, the company shut down its systems, launched an investigation with cybersecurity experts, and notified law enforcement. The compromised data varied by individual and included names, contact details, health insurance information, medical records, and, in limited cases, Social Security numbers or dates of birth. While no misuse of the data has been reported so far, affected individuals are advised to monitor their financial, health, and tax records.

Researchers have identified a new phishing campaign targeting users in Taiwan with malware strains like HoldingHands RAT and Gh0stCringe.

The operation, linked to the Silver Fox APT group, uses phishing emails that mimic official messages from Taiwan’s National Taxation Bureau and other entities to deliver infected PDFs or ZIP files. These attachments contain legitimate-looking executables, shellcode loaders, and encrypted payloads that initiate a multi-stage infection process. The malware uses DLL side-loading techniques, anti-VM tactics, and privilege escalation to avoid detection and ensure persistence. The final payload, "msgDb.dat," enables command-and-control (C2) functions, remote desktop access, and file operations. Researchers also observed Gh0stCringe being spread via PDFs that redirect users to malicious HTM download pages.

Silver Fox is further suspected of targeting Japanese and Taiwanese organizations with digitally signed fake salary notices, using stolen certificates. These attacks are crafted to evade traditional defenses and complicate malware analysis through runtime decryption and modular payloads.