SafePay is a rapidly emerging ransomware group with a unique closed model, demonstrating high operational tempo and claiming 73 victims in June 2025 alone, targeting mid-size to enterprise organizations across multiple sectors with rapid encryption capabilities. The group operates a non-affiliate model, retaining full control and profits, and uses distinct key management despite code similarities to other ransomware groups.

ThreatFabric has identified RatOn, a sophisticated Android trojan that combines banking RAT capabilities, NFC relay attacks, and cryptocurrency wallet theft, targeting Czech and Slovak users with potential for future expansion. It uses a multi-stage delivery to gain Accessibility Service and Device Admin privileges, performing automated money transfers and overlay attacks.

Cloudflare experienced a significant data breach via a supply chain attack on its Salesforce integration, exposing customer support data and credentials to a threat actor known as GRUB1. The breach highlights the need for securing third-party integrations and robust credential management practices.

Cybersecurity researchers report a significant surge in network scanning activity targeting Cisco ASA devices, raising concerns about potential pre-disclosure vulnerability exploitation, with two major scanning spikes involving up to 25,000 unique IPs. Defenders are advised to apply updates, enforce MFA, and block identified indicators to prevent potential attacks.

A cyberattack severely disrupted Jaguar Land Rover's global IT systems, forcing production halts and staff stand-downs, with English-speaking cybercriminals claiming responsibility and alleged data exfiltration via Telegram. The incident aligns with a trend of similar attacks on other high-profile British entities by English-speaking hackers.

A widespread campaign, attributed to suspected ShinyHunters, exploited OAuth tokens from Salesloft Drift's Salesforce integration, leading to mass exfiltration of customer data from multiple organizations, with attackers actively scanning exfiltrated data for credentials. Affected organizations are advised to revoke Salesloft Drift access and review login/API access logs for suspicious activity.

The U.S. Treasury Department sanctioned 19 individuals and organizations operating major cyberscam hubs in Burma and Cambodia, highlighting a significant increase in financial losses to Americans and the use of forced labor, with operations relying on modern slavery tactics to coerce workers into perpetrating online fraud. The sanctions aim to disrupt industrial-scale fraud and human rights abuses.

Researchers have developed a novel and highly effective exploitation method for the Linux kernel use-after-free vulnerability, significantly increasing its practical threat, with the method bypassing kernel hardening and leveraging advanced primitives for information leaks and arbitrary read/write. This approach poses a major threat to modern Linux systems, requiring urgent patching.

Researchers discovered two malicious npm packages using Ethereum smart contracts for C2, marking a new tactic in open source security, with attackers leveraging smart contracts to host malicious commands and making detection harder. The campaign involved extensive GitHub deception, with fabricated repositories and fake activity to lure developers.

APT37 has evolved its toolset and tactics, introducing a Rust-based backdoor and advanced fileless injection techniques for stealthy operations, with a newly identified Rust-compiled backdoor and a Python-based loader leveraging Process Doppelgänging. The group's malware components are orchestrated by a single, lightweight PHP-based C2 server, streamlining command delivery and data exfiltration.