Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware

Trellix researchers Nico Paulo Yturriaga & Pham Duy Phuc uncovered an APT malware campaign that targets the energy, oil and gas sector through phishing attacks and the exploitation of Microsoft ClickOnce. https://www.trellix.com/blogs/research/oneclik-a-clickonce-based-apt-campaign-targeting-energy-oil-and-gas-infrastructure/

IBM X-Force researchers Golo Mühr & Joshua Chung discovered China-aligned threat actor Hive0154 spreading Pubload malware, featuring lure documents and filenames targeting the Tibetan community. https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor

G Data's Lance Go & Karsten Hahn show how threat actors abuse ConnectWise to build and distribute their own signed malware, and look at what security vendors can do to detect them. https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Palo Alto Networks Unit 42 researchers identified a wave of Prometei Linux attacks. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining and credential theft. https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

NICTER presents details from a paper presented by its CSRI Analysis Team at Botconf, in which they looked at the DVR botnet ecosystem, as well as the latest developments regarding RapperBot. https://blog.nicter.jp/2025/06/rapperbot_2025_2g/

Proofpoint researchers analyse Amatera Stealer, a rebranded ACR Stealer with improved anti-analysis features. Amatera Stealer, which is sold as a malware-as-a-service (MaaS), is actively in development. https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

Trend Micro uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data. https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html

Red Canary researchers analyse a Mocha Manakin activity cluster that delivers NodeJS backdoor via Clickfix/fakeCAPTCHA. This leads to a number of payloads delivered following successful paste and run execution, including LummaC2, HijackLoader, Vidar, and more. https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/