Fortinet's Xiaopeng Zhang and John Simmons provide a detailed examination of a Havoc variant involved in a long-term cyber intrusion targeting critical national infrastructure in the Middle East. https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample

Recorded Future researchers analyse a new version of DRAT in a TAG-140 (overlaps with SideCopy) campaign targeting Indian government organizations. DRAT V2 updates its custom TCP-based, server-initiated C2 protocol & expands functional capabilities. https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal

Check Point Research look into an ongoing spear-phishing campaign targeting Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities. https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/

Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware

Trellix researchers Nico Paulo Yturriaga & Pham Duy Phuc uncovered an APT malware campaign that targets the energy, oil and gas sector through phishing attacks and the exploitation of Microsoft ClickOnce. https://www.trellix.com/blogs/research/oneclik-a-clickonce-based-apt-campaign-targeting-energy-oil-and-gas-infrastructure/

IBM X-Force researchers Golo Mühr & Joshua Chung discovered China-aligned threat actor Hive0154 spreading Pubload malware, featuring lure documents and filenames targeting the Tibetan community. https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor

G Data's Lance Go & Karsten Hahn show how threat actors abuse ConnectWise to build and distribute their own signed malware, and look at what security vendors can do to detect them. https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Palo Alto Networks Unit 42 researchers identified a wave of Prometei Linux attacks. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining and credential theft. https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

NICTER presents details from a paper presented by its CSRI Analysis Team at Botconf, in which they looked at the DVR botnet ecosystem, as well as the latest developments regarding RapperBot. https://blog.nicter.jp/2025/06/rapperbot_2025_2g/