June 23, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jun 23, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

New MORE_EGGS campaign continues recruiting themes
KTA032 (FIN6) has begun a new campaign using the MORE_EGGS JavaScript backdoor which continues its themes surrounding fake resumes leading to the malware deployment. The actor engaged with organization recruiters which led to emails containing a malicious domain (often containing the fake applicant’s first and last name). The domain contains several defense evasion techniques to avoid automated analysis tools from scanning.

02:00 [CAMPAIGN] Reports of KTA243 (Scattered Spider) Attacks on Insurers
Key Takeaways

  • A post on X from a member of Google’s Threat Intelligence Group states that Scattered Spider (tracked by Kroll as KTA243) might now be targeting the insurance industry.
  • KTA243’s partnership with the rebranded ransomware cartel KTA276 (DragonForce) has amplified its capabilities. This collaboration has already resulted in significant breaches and is expected to fuel further attacks in the insurance sector.
  • KTA243 continues to leverage social engineering techniques to gain initial access. Similar tactics are also being used by other threat groups to target the finance and insurance industry, such as KTA407 (Luna Moth).

04:10 [GEOPOLITICAL] Iran-Israel Conflict Update: Cyber Implications
Key Takeaways

  • The conflict between Iran and Israel has escalated, involving airstrikes, missile exchanges and drone activity from both sides.
  • Cyberattacks targeting Israel have significantly increased, affecting sectors such as government, finance, telecommunications and energy.
  • Multiple cyber groups, including KTA193 and KTA310, have been linked to recent operations, with concerns about broader regional and global cyber impacts.

06:38 [VULNERABILITY] Critical Veeam Backup and Replication Vulnerability - CVE-2025-23121
Vulnerability researchers at watchTowr have disclosed an exploit chain in SiteCore Experience Platform that can be trivially exploited to gain remote code execution. A full technical breakdown of the exploit chain is available on the watchTowr blog.

07:54 [VULNERABILITY] Critical SiteCore Vulnerabilities
A vulnerability in Amazon Web Services (AWS), Microsoft Azure and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) has been identified with a Critical CVSS score of 9.9. The vulnerability could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.

10:21 [RANSOMWARE] KTA336 (FOG) Ransomware Uses Unconventional Tools
Key Takeaways

  • The attackers employed SYTECA, a legitimate employee monitoring software, and GC2, a penetration testing tool that uses Google Sheets and SharePoint for command execution and data exfiltration—both rarely seen in ransomware operations.
  • The attackers maintained access to the network after deploying the ransomware, suggesting the ransomware may have been a decoy for espionage rather than a purely financial attack.
  • The breach occurred through vulnerable Microsoft Exchange servers, and the attackers remained undetected for two weeks before launching the ransomware.
  • The attackers attempted to delete evidence of their activity, and SYTECA may have been used for surveillance or data theft.
  • This tactic aligns with previous incidents involving Chinese nation-state actors, where ransomware was used to mask espionage operations.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.