In today’s cybersecurity news…
CISA warns Commvault clients of campaign targeting cloud applications
The agency is warning that hackers are targeting cloud environments used by clients of data management firm Commvault. The company had previously disclosed a February data breach, revealed by Microsoft, involving a nation-state actor who accessed app credentials used by some Commvault customers to authenticate with Microsoft 365. CISA now reports ongoing cyber threat activity targeting Commvault’s applications hosted in Microsoft Azure. The agency believes this is part of a broader campaign aimed at exploiting software-as-a-service (SaaS) applications with default settings and elevated permissions. The attackers likely accessed “client secrets” – unique codes that link applications to servers, specifically targeting Commvault’s M365 backup solution, Metallic, raising concerns about widespread vulnerability.
Russian hacker group Killnet returns with slightly adjusted mandate
The Russian hacker group Killnet has resurfaced after months of inactivity, claiming to have hacked Ukraine’s drone-tracking system to aid Russian forces; a claim promoted by Russian media but unverified by independent sources. The timing coincides with Russia’s Victory Day, a key date for propaganda. Analysts suggest this reappearance may be more about reestablishing relevance than executing a specific anti-Ukraine operation. Cyber experts note that Killnet now seems less ideologically driven and more like a for-hire cybercrime group seeking reputation and profit. Researchers view the heavily publicized activity as potentially part of a broader Russian information operation, especially amid ongoing diplomatic efforts involving the U.S., Russia, and Ukraine.
Fake VPN and browser NSIS installers used to deliver Winos 4.0 malware
Researchers at Rapid7 are warning of a malware campaign that “uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework.” This campaign, which was first detected by Rapid7 in February 2025, “involves the use of a multi-stage, memory-resident loader called Catena.” The company says, “the attacks appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the careful, long-term planning by a very capable threat actor.”
European Endgame operation takes down key ransomware infrastructure
Operation ENDGAME refers to a campaign coordinated by Europol and Eurojust, the European Union Agency for Criminal Justice Cooperation. It ran from May 19 to 22 and took down 300 servers and 650 domains and issued 20 international arrest warrants. Agents from numerous EU countries, along with the U.S., UK and Canada helped with this investigation, which started in 2024, culminating in the May takedowns. Authorities also seized €3.5M in cryptocurrency. The operation targeted initial access malware used by threat actors to infiltrate systems prior to ransomware deployment.
Huge thanks to our sponsor, ThreatLocker
AI-generated Tik Tok videos push ClickFix attacks
As described by researchers at Trend Micro, cybercriminals are “using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware through ClickFix attacks. The messages aim to get viewers to run commands that promise to activate Windows and Microsoft Office, along with premium features in some legitimate software brands such as CapCut and Spotify. The videos are all very similar in design and narration and appear to be largely AI-generated. One of these videos claims to provide instructions on how to “boost your Spotify experience instantly,” has reached almost 500,000 views, with over 20,000 likes.
Luna Moth extortion attacks targeting law firms, says FBI
The FBI has issued a warning about an extortion gang named Silent Ransom Group, which has been targeting U.S. law firms over the last two years, using callback phishing and social engineering attacks. This group is also known as Luna Moth, known for conducting BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks. The FBI describes their attack style as, “directing an employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight.”
Qakbot leader indicted in U.S.
The Russian national, Rustam Rafailevich Gallyamov, 48, is allegedly the individual who developed, deployed, and controlled the Qakbot malware since its start in 2008. “According to the newly unsealed indictment the Qakbot gang, “infected hundreds of thousands of computers worldwide, ensnaring them in a botnet.” The victim organizations belonged to a range of industries including healthcare, insurance, manufacturing, marketing, music, real estate, technology, and telecommunications organizations. “Gallyamov and his co-conspirators allegedly sold access to Qakbot-infected machines to other cybercriminals, who deployed ransomware families such as Black Basta, Cactus, Conti, and REvil.
Google Chrome extension updates breached passwords with one click
A new feature in the Chrome browser lets its built-in Password Manager automatically change a user’s password when it detects the credentials to be compromised. According to its designers, “When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it automatically…generating a strong replacement and updating the password for the user automatically. Google says the feature has not yet been formally launched for end users, and that it is “mainly geared towards developers so they can optimize their websites for once the feature launches.” Google added, the goal of this feature is to “reduce friction and help users keep their accounts secure without having to search for relevant account settings or abandon the process midway.”